Traffic Engineering with Segment Routing: SDN-based Architectural Design and Open Source Implementation

Traffic Engineering (TE) in IP carrier networks is one of the functions that can benefit from the Software Defined Networking paradigm. By logically centralizing the control of the network, it is possible to "program" per-flow routing based on TE goals. Traditional per-flow routing requires a direct interaction between the SDN controller and each node that is involved in the traffic paths. Depending on the granularity and on the temporal properties of the flows, this can lead to scalability issues for the amount of routing state that needs to be maintained in core network nodes and for the required configuration traffic. On the other hand, Segment Routing (SR) is an emerging approach to routing that may simplify the route enforcement delegating all the configuration and per-flow state at the border of the network. In this work we propose an architecture that integrates the SDN paradigm with SR-based TE, for which we have provided an open source reference implementation. We have designed and implemented a simple TE/SR heuristic for flow allocation and we show and discuss experimental results.Comment: Extended version of poster paper accepted for EWSDN 2015 (version v4 - December 2015

D-STREAMON: from middlebox to distributed NFV framework for network monitoring

Many reasons make NFV an attractive paradigm for IT security: lowers costs, agile operations and better isolation as well as fast security updates, improved incident responses and better level of automation. On the other side, the network threats tend to be increasingly complex and distributed, implying huge traffic scale to be monitored and increasingly strict mitigation delay requirements. Considering the current trend of the net- working and the requirements to counteract to the evolution of cyber-threats, it is expected that also network monitoring will move towards NFV based solutions. In this paper, we present D- StreaMon an NFV-capable distributed framework for network monitoring realized to face the above described challenges. It relies on the StreaMon platform, a solution for network monitoring originally designed for traditional middleboxes. An evolution path which migrates StreaMon from middleboxes to Virtual Network Functions (VNFs) has been realized.Comment: Short paper at IEEE LANMAN 2017. arXiv admin note: text overlap with arXiv:1608.0137

OSHI - Open Source Hybrid IP/SDN networking (and its emulation on Mininet and on distributed SDN testbeds)

The introduction of SDN in IP backbones requires the coexistence of regular IP forwarding and SDN based forwarding. The former is typically applied to best effort Internet traffic, the latter can be used for different types of advanced services (VPNs, Virtual Leased Lines, Traffic Engineering...). In this paper we first introduce the architecture and the services of an "hybrid" IP/SDN networking scenario. Then we describe the design and implementation of an Open Source Hybrid IP/SDN (OSHI) node. It combines Quagga for OSPF routing and Open vSwitch for OpenFlow based switching on Linux. The availability of tools for experimental validation and performance evaluation of SDN solutions is fundamental for the evolution of SDN. We provide a set of open source tools that allow to facilitate the design of hybrid IP/SDN experimental networks, their deployment on Mininet or on distributed SDN research testbeds and their test. Finally, using the provided tools, we evaluate key performance aspects of the proposed solutions. The OSHI development and test environment is available in a VirtualBox VM image that can be downloaded.Comment: Final version (Last updated August, 2014

Are crowd-sourced CTI datasets ready for supporting anti-cybercrime intelligence?

Cyber crimes rapidly increased over the past years, with attackers performing large-scale activities, using sophisticated and complex tactics and techniques, that have targeted governments, companies, and even strategic infrastructures. To tackle these attacks, the cyber-security community usually shares Cyber Threat Intelligence (CTI) that includes the collected Indicators of Compromise (IoC) using several open or private sharing platforms. In this paper, we study the informativeness and relevance of the IoCs related to cyber crimes following a major real-world event such as the war in Ukraine, which started in February 2022. To this end, we analyze different kinds of attacks available in a crowd-sourced dataset of Cyber Threat Intelligence (CTI) reports. Our analysis shows that while this data is able to capture major trends such as the ones following major events, the degree of miscellaneous information inside the reports makes it difficult to discern the association of a specific trace unequivocally.The work of UC3M has been supported by the Spanish Ministry of Economic Affairs and Digital Transformation and the European UnionNextGenerationEU through the UNICO 5G I+D project 6G-RIEMANN. The work of NEC Laboratories Europe has been supported by the EU research projects MARSAL (Grant Agreement 101017171) and DESIRE6G (Grant Agreement 101096466)Publicad

On the Fly Orchestration of Unikernels: Tuning and Performance Evaluation of Virtual Infrastructure Managers

Network operators are facing significant challenges meeting the demand for more bandwidth, agile infrastructures, innovative services, while keeping costs low. Network Functions Virtualization (NFV) and Cloud Computing are emerging as key trends of 5G network architectures, providing flexibility, fast instantiation times, support of Commercial Off The Shelf hardware and significant cost savings. NFV leverages Cloud Computing principles to move the data-plane network functions from expensive, closed and proprietary hardware to the so-called Virtual Network Functions (VNFs). In this paper we deal with the management of virtual computing resources (Unikernels) for the execution of VNFs. This functionality is performed by the Virtual Infrastructure Manager (VIM) in the NFV MANagement and Orchestration (MANO) reference architecture. We discuss the instantiation process of virtual resources and propose a generic reference model, starting from the analysis of three open source VIMs, namely OpenStack, Nomad and OpenVIM. We improve the aforementioned VIMs introducing the support for special-purpose Unikernels and aiming at reducing the duration of the instantiation process. We evaluate some performance aspects of the VIMs, considering both stock and tuned versions. The VIM extensions and performance evaluation tools are available under a liberal open source licence

Re-designing Dynamic Content Delivery in the Light of a Virtualized Infrastructure

We explore the opportunities and design options enabled by novel SDN and NFV technologies, by re-designing a dynamic Content Delivery Network (CDN) service. Our system, named MOSTO, provides performance levels comparable to that of a regular CDN, but does not require the deployment of a large distributed infrastructure. In the process of designing the system, we identify relevant functions that could be integrated in the future Internet infrastructure. Such functions greatly simplify the design and effectiveness of services such as MOSTO. We demonstrate our system using a mixture of simulation, emulation, testbed experiments and by realizing a proof-of-concept deployment in a planet-wide commercial cloud system.Comment: Extended version of the paper accepted for publication in JSAC special issue on Emerging Technologies in Software-Driven Communication - November 201

PMSR - Poor Man's Segment Routing, a minimalistic approach to Segment Routing and a Traffic Engineering use case

The current specification of the Segment Routing (SR) architecture requires enhancements to the intra-domain routing protocols (e.g. OSPF and IS-IS) so that the nodes can advertise the Segment Identifiers (SIDs). We propose a simpler solution called PMSR (Poor Man's Segment Routing), that does not require any enhancement to routing protocol. We compare the procedures of PMSR with traditional SR, showing that PMSR can reduce the operation and management complexity. We analyze the set of use cases in the current SR drafts and we claim that PMSR can support the large majority of them. Thanks to the drastic simplification of the Control Plane, we have been able to develop an Open Source prototype of PMSR. In the second part of the paper, we consider a Traffic Engineering use case, starting from a traditional flow assignment optimization problem which allocates hop-by-hop paths to flows. We propose a SR path assignment algorithm and prove that it is optimal with respect to the number of segments allocated to a flow.Comment: September 2015 - Paper accepted to the Mini-conference track of NOMS 201

Flammability reduction in a pressurised water electrolyser based on a thin polymer electrolyte membrane through a Pt-alloy catalytic approach

Various Pt-based materials (unsupported Pt, PtRu, PtCo) were investigated as catalysts for recombining hydrogen and oxygen back into water. The recombination performance correlated well with the surface Pt metallic state. Alloying cobalt to platinum was observed to produce an electron transfer favouring the occurrence of a large fraction of the Pt metallic state on the catalyst surface. Unsupported PtCo showed both excellent recombination performance and dynamic behaviour. In a packed bed catalytic reactor, when hydrogen was fed at 4% vol. in the oxygen stream (flammability limit), 99.5% of the total H 2 content was immediately converted to water in the presence of PtCo thus avoiding safety issues. The PtCo catalyst was thus integrated in the anode of the membrane-electrode assembly of a polymer electrolyte membrane electrolysis cell. This catalyst showed good capability to reduce the concentration of hydrogen in the oxygen stream under differential pressure operation (1-20 bar), in the presence of a thin (90 µm) Aquivion® membrane. The modified system showed lower hydrogen concentration in the oxygen flow than electrolysis cells based on state-of-the-art thick polymer electrolyte membranes and allowed to expand the minimum current density load down to 0.15 A cm -2 . The electrolysis cell equipped with a dual layer PtCo/IrRuOx oxidation catalyst achieved a high operating current density (3 A cm -2 ) as requested to decrease the system capital costs, under high efficiency conditions (about 77% efficiency at 55°C and 20 bar). Moreover, the electrolysis system showed reduced probability to reach the flammability limit under both high differential pressure (20 bar) and partial load operation (5%), as needed to properly address grid-balancing service