Improving the performance of Virtualized Network Services based on NFV and SDN

Network Functions Virtualisation (NFV) proposes to move all the traditional network appliances, which require dedicated physical machine, onto virtualised environment (e.g,. Virtual Machine). In this way, many of the current physical devices present in the infrastructure are replaced with standard high volume servers, which could be located in Datacenters, at the edge of the network and in the end user premises. This enables a reduction of the required physical resources thanks to the use of virtualization technologies, already used in cloud computing, and allows services to be more dynamic and scalable. However, differently from traditional cloud applications which are rather demanding in terms of CPU power, network applications are mostly I/O bound, hence the virtualization technologies in use (either standard VM-based or lightweight ones) need to be improved to maximize the network performance. A series of Virtual Network Functions (VNFs) can be connected to each other thanks to Software-Defined Networks (SDN) technologies (e.g., OpenFlow) to create a Network Function Forwarding Graph (NF-FG) that processes the network traffic in the configured order of the graph. Using NF-FGs it is possible to create arbitrary chains of services, and transparently configure different virtualized network services, which can be dynamically instantiated and rearranges depending on the requested service and its requirements. However, the above virtualized technologies are rather demanding in terms of hardware resources (mainly CPU and memory), which may have a non-negligible impact on the cost of providing the services according to this paradigm. This thesis will investigate this problem, proposing a set of solutions that enable the novel NFV paradigm to be efficiently used, hence being able to guarantee both flexibility and efficiency in future network services

Assessing the Performance of Virtualization Technologies for NFV: a Preliminary Benchmarking

The NFV paradigm transforms those applications executed for decades in dedicated appliances, into software images to be consolidated in standard server. Although NFV is implemented through cloud computing technologies (e.g., virtual machines, virtual switches), the network traffic that such components have to handle in NFV is different than the traffic they process when used in a cloud computing scenario. Then, this paper provides a (preliminary) benchmarking of the widespread virtualization technologies when used in NFV, which means when they are exploited to run the so called virtual network functions and to chain them in order to create complex services

COMPOSER: A compact open-source service platform

Compute and network virtualization enable to deliver network services with unprecedented agility and flexibility based on (a) the programmatic placement of service functions across the available infrastructure and (b) the real-time setup of the corresponding network paths. This paper presents and validates COMPOSER, a compact, flexible and high-performance service platform for the deployment of network services. COMPOSER supports multiple virtualization engines (e.g., virtual machines, containers, native network functions) and it can use seamlessly the above different execution environments to instantiate network services belonging to different chains, hence facilitating domain-oriented orchestration and enabling the joint optimization of compute and network resources. We demonstrate that COMPOSER can run on resource-constrained hardware, such as residential gateways, as well as on high-performance servers. Finally, COMPOSER integrates optimized data plane components that enable our platform to reach top-class results with respect to data plane performance as well

Offloading personal security applications to a secure and trusted network node

The current device-centric protection model against security threats has serious limitations from the final user perspective, among the other the necessity to keep each device updated with the latest security updates and the necessity to replicate all the security polices across all devices. In our model, the protection is decoupled from the users terminals and it is provided through a Trusted Virtual Domain (TVD) instantiated in future edge routers. Each TVD provides unified and homogeneous security for a single user, irrespective of the terminal employed. This paper shows a first prototype implementing this concept through a network element, called Network Edge Device, capable of running the proposed virtualized architecture and making extensive use of SDN technologies, with the aim at providing a uniform security level for the final user

Enforcement of dynamic HTTP policies on resource-constrained residential gateways

Given that nowadays users access content mostly through mobile apps and web services, both based on HTTP, several filtering applications, such as parental control, malware detection, and corporate policy enforcement, require inspecting Universal Resource Locators (URLs) contained in HTTP requests. Currently, such filtering is most commonly performed in end devices or in middleboxes. Filtering applications running on end devices are less resource intensive because they operate only on traffic from a single user and possibly leverage a hook at the HTTP level to access protocol data, but it is left to the user whether to execute them. On the other hand, middleboxes present the challenge of ensuring that they lay on the path of all the traffic from any relevant device. Residential gateways seem to be the ideal place where to implement traffic filtering because they forward all traffic generated by the hosts on home(-office) networks. However, these devices usually have very limited computation and memory resources, while URL-based filtering is quite demanding. In fact existing approaches rely on a large database of rules coupled with either deep packet inspection or transparent proxying for URL extraction. This paper introduces U-Filter, a URL filtering solution based on a distributed architecture where a lightweight, efficient URL extraction and policy enforcement component runs on residential gateways, delegating to a remote policy server the resource intensive task of verifying policy compliance. Thanks to the lightweight communication between the two components and the very limited resource requirements of the local module, U-Filter (i) can be deployed on resource-limited devices such as residential gateways, and (ii) has almost no impact on the performance of the device, as well as on the users’ browsing experience, as demonstrated by the experiments presented in the paper

An efficient data exchange mechanism for chained network functions

Thanks to the increasing success of virtualization technologies and processing capabilities of computing devices, the deployment of virtual network functions is evolving towards a unified approach aiming at concentrating a huge amount of such functions within a limited number of commodity servers. To keep pace with this trend, a key issue to address is the definition of a secure and efficient way to move data between the different virtualized environments hosting the functions and a centralized component that builds the function chains within a single server. This paper proposes an efficient algorithm that realizes this vision and that, by exploiting the peculiarities of this application domain, is more efficient than classical solutions. The algorithm that manages the data exchanges is validated by performing a formal verification of its main safety and security properties, and an extensive functional and performance evaluation is presented

End-to-end service orchestration across SDN and cloud computing domains

This paper presents an open-source orchestration framework that deploys end-to-end services across OpenStack-managed data centers and SDN networks controlled either by ONOS or OpenDaylight. The proposed framework improves existing software in two directions. First, it exploits SDN domains not only to implement traffic steering, but also to execute selected network functions (e.g., NAT). Second, it can deploy a service by partitioning the original service graph into multiple subgraphs, each one instantiated in a different domain, dynamically connected by means of traffic steering rules and parameters (e.g. VLAN IDs) negotiated at run-time

Modeling Native Software Components as Virtual Network Functions

Virtual Network Functions (VNFs) are often realized using virtual machines (VMs) because they provide an isolated environment compatible with classical cloud computing technologies. However, VMs are demanding in terms of required resources (CPU and memory) and therefore not suitable for low-cost devices like residential gateways. Such equipment often runs a Linux-based operating system that includes by default a (large) number of common network functions, which can provide some of the services otherwise offered by simple VNFs, but with reduced overhead. In this paper those native software components are made available through a Network Function Virtualization (NFV) platform, thus making their use transparent from the VNF developer point of vie

Enabling NFV Services on Resource-Constrained CPEs

Virtual Network Functions (VNFs) are often implemented using virtual machines (VMs) because they provide an isolated environment compatible with classical cloud computing technologies. Unfortunately, VMs are demanding in terms of required resources and therefore are not suitable for resource-constrained devices such as residential CPEs. However, such hardware often runs a Linux-based operating system that supports several software modules (e.g., iptables) that can be used to implement network functions (e.g., a firewall), which can be exploited to provide some of the services offered by simple VNFs, but with reduced overhead. In this paper we propose and validate an architecture that integrates those native software components in a Network Function Virtualization (NFV) platform, making their use transparent from the user's point of view

Enabling NFV Services on Resource-Constrained CPEs

Virtual Network Functions (VNFs) are often implemented using virtual machines (VMs) because they provide an isolated environment compatible with classical cloud computing technologies. Unfortunately, VMs are demanding in terms of required resources and therefore are not suitable for resource-constrained devices such as residential CPEs. However, such hardware often runs a Linux-based operating system that supports several software modules (e.g., iptables) that can be used to implement network functions (e.g., a firewall), which can be exploited to provide some of the services offered by simple VNFs, but with reduced overhead. In this paper we propose and validate an architecture that integrates those native software components in a Network Function Virtualization (NFV) platform, making their use transparent from the user’s point of view