DISCO: Distributed Multi-domain SDN Controllers

Modern multi-domain networks now span over datacenter networks, enterprise networks, customer sites and mobile entities. Such networks are critical and, thus, must be resilient, scalable and easily extensible. The emergence of Software-Defined Networking (SDN) protocols, which enables to decouple the data plane from the control plane and dynamically program the network, opens up new ways to architect such networks. In this paper, we propose DISCO, an open and extensible DIstributed SDN COntrol plane able to cope with the distributed and heterogeneous nature of modern overlay networks and wide area networks. DISCO controllers manage their own network domain and communicate with each others to provide end-to-end network services. This communication is based on a unique lightweight and highly manageable control channel used by agents to self-adaptively share aggregated network-wide information. We implemented DISCO on top of the Floodlight OpenFlow controller and the AMQP protocol. We demonstrated how DISCO's control plane dynamically adapts to heterogeneous network topologies while being resilient enough to survive to disruptions and attacks and providing classic functionalities such as end-point migration and network-wide traffic engineering. The experimentation results we present are organized around three use cases: inter-domain topology disruption, end-to-end priority service request and virtual machine migration

Optimal Orchestration of Virtual Network Functions

-The emergence of Network Functions Virtualization (NFV) is bringing a set of novel algorithmic challenges in the operation of communication networks. NFV introduces volatility in the management of network functions, which can be dynamically orchestrated, i.e., placed, resized, etc. Virtual Network Functions (VNFs) can belong to VNF chains, where nodes in a chain can serve multiple demands coming from the network edges. In this paper, we formally define the VNF placement and routing (VNF-PR) problem, proposing a versatile linear programming formulation that is able to accommodate specific features and constraints of NFV infrastructures, and that is substantially different from existing virtual network embedding formulations in the state of the art. We also design a math-heuristic able to scale with multiple objectives and large instances. By extensive simulations, we draw conclusions on the trade-off achievable between classical traffic engineering (TE) and NFV infrastructure efficiency goals, evaluating both Internet access and Virtual Private Network (VPN) demands. We do also quantitatively compare the performance of our VNF-PR heuristic with the classical Virtual Network Embedding (VNE) approach proposed for NFV orchestration, showing the computational differences, and how our approach can provide a more stable and closer-to-optimum solution

Let there be Chaining: How to Augment your IGP to Chain your Services

Ever since Network Functions Virtualization has replaced dedicated appliances, ISPs have been able to add a degree of flexibility in their traffic engineering. However, it also has increased the complexity of the optimization problem, because it is now necessary to place virtual functions and route traffic jointly. Insofar, a logically centralized approach has been taken, where a so-called orchestrator, having full knowledge of the network, the virtual functions, and the traffic, run complex algorithms to find a suitable solution to the problem. The outcome of the algorithms are then translated to network configurations to be pushed to all of the appliances. We argue that there is no need to fully centralize every decision, rather we can leverage existing network intelligence to achieve the same goal. In particular we propose to augment the routing layer with the notion of services, so to rely on the robustness and scalability of Interior Gateway Protocols (IGP). Our solution leverages on existing distributed routing protocols where, in addition, autonomous nodes announce information about the virtual services they provide. Our design is modular and incrementally deployable and has been implemented in what we call a NFV Router. In our evaluation, we show that (i) NFV Routers distributed chaining decisions are close to optimal centrally-computed paths, (ii) on a large scale testbed deployment, NFV Routers efficiently steer traffic through chains and only add a small overhead to control traffic and (iii) our distributed system, because of its local control loop, has a faster reaction to network events than centralized solutions

StateSec: Stateful Monitoring for DDoS Protection in Software Defined Networks

To be presented at IEEE NetSoft, 3-7 July 2017, Bologna, ItalyInternational audienceSoftware-Defined Networking (SDN) allows for fast reactions to security threats by dynamically enforcing simple forwarding rules as countermeasures. However, in classic SDN all the intelligence resides at the controller, with the switches only capable of performing stateless forwarding as ruled by the controller. It follows that the controller, in addition to network management and control duties, must collect and process any piece of information required to take advanced (stateful) forwarding decisions. This threatens both to overload the controller and to congest the control channel. On the other hand, stateful SDN represents a new concept, developed both to improve reactivity and to offload the controller and the control channel by delegating local treatments to the switches. In this paper, we adopt this stateful paradigm to protect end-hosts from Distributed Denial of Service (DDoS). We propose StateSec, a novel approach based on in-switch processing capabilities to detect and mitigate DDoS attacks. StateSec monitors packets matching configurable traffic features (e.g., IP src/dst, port src/dst) without resorting to the controller. By feeding an entropy-based algorithm with such monitoring features, StateSec detects and mitigates several threats such as (D)DoS and port scans with high accuracy. We implemented StateSec and compared it with a state-of-the-art approach to monitor traffic in SDN. We show that StateSec is more efficient: it achieves very accurate detection levels, limiting at the same time the control plane overhead

On the Necessity of Accounting for Resiliency in SFC

International audienceWhen deploying network service function chains the focus is usually given on metrics such as the cost, the latency, or the energy and it is assumed that the underlying cloud infrastructure provides resiliency mechanisms to handle with the disruptions occurring in the physical infrastructure. In this position paper, we advocate that while usual performance metrics are essential to decide on the deployment of network service function chains, the notion of resiliency should not be neglected as the choice of virtual-to-physical placement may dramatically improve the ability of the service chains to handle with failures of the infrastructure without requiring complex resiliency mechanisms

Content Distribution and OpenFlow: a Reality Check

Demo at 2016 IEEE Conference on Network Function Virtualization and Software Defined Networks, 7-9 November 2016, Palo Alto, CA, USAWith the advent of virtualization and network function softwarization, the networking world shifts to Software Defined Networking (SDN). The OpenFlow protocol is one of the most suitable candidates to implement the SDN concept. In the meanwhile, the generalization of broadband Internet (mobile, cable, DSL, fiber etc.) has led to massive content consumption. However, while content is usually retrieved via layer 7 protocols, OpenFlow operations are performed at lower layers (layer 4 or lower) making the protocol completely ineffective to deal with content. To address this issue, we proposed and developed an API to manage content in OpenFlow networks. We implemented this API using open source software and study the impact of logical centralization suggested by SDN on network performances

Seamless content distribution with OpenFlow

International audienceWith the advent of virtualization and network function softwarization, the networking world shifts to Software Defined Networking (SDN) and OpenFlow is one of the most suitable candidates to implement the southbound API. In the meanwhile, the generalization of broadband Internet has led to massive content consumption. However, while content is usually retrieved via layer 7 protocols, OpenFlow operations are performed at lower layers (layer 4 or lower) making the protocol ineffective to deal with contents. To address this issue, we define an abstraction to unify network level and content level operations and present a straw-man logically centralized architecture proposal to support it. Our implementation demonstrates the feasibility of the solution and its advantage over fully centralized approach

Assessing RoQ Attacks on MANETs over Aware and Unaware TPC Techniques

Abstract-Adaptation mechanisms, such as transmission power control (TPC) techniques, cognitive radio technology and intelligent antenna, have been applied to efficiently manage the use of resources on wireless ad hoc networks. However, these mechanisms open doors for Reduction of Quality (RoQ) attacks. Those attacks damage network services exploiting adaptation capability and they can be easily launched on mobile ad hoc networks (MANETs). This paper assesses the influence of RoQ attacks on MANETs, aiming to provide insights and lead the design of control access mechanisms able to prevent or mitigate them. We evaluate MANETs supported by a modified IEEE 802.11 using unaware and aware TPC techniques. We analyze the impact of three types of RoQ attacks by simulations, and we show their effect over more dynamic aware TPC techniques