67 research outputs found
DISCO: Distributed Multi-domain SDN Controllers
Modern multi-domain networks now span over datacenter networks, enterprise
networks, customer sites and mobile entities. Such networks are critical and,
thus, must be resilient, scalable and easily extensible. The emergence of
Software-Defined Networking (SDN) protocols, which enables to decouple the data
plane from the control plane and dynamically program the network, opens up new
ways to architect such networks. In this paper, we propose DISCO, an open and
extensible DIstributed SDN COntrol plane able to cope with the distributed and
heterogeneous nature of modern overlay networks and wide area networks. DISCO
controllers manage their own network domain and communicate with each others to
provide end-to-end network services. This communication is based on a unique
lightweight and highly manageable control channel used by agents to
self-adaptively share aggregated network-wide information. We implemented DISCO
on top of the Floodlight OpenFlow controller and the AMQP protocol. We
demonstrated how DISCO's control plane dynamically adapts to heterogeneous
network topologies while being resilient enough to survive to disruptions and
attacks and providing classic functionalities such as end-point migration and
network-wide traffic engineering. The experimentation results we present are
organized around three use cases: inter-domain topology disruption, end-to-end
priority service request and virtual machine migration
Optimal Orchestration of Virtual Network Functions
-The emergence of Network Functions Virtualization (NFV) is bringing a set of
novel algorithmic challenges in the operation of communication networks. NFV
introduces volatility in the management of network functions, which can be
dynamically orchestrated, i.e., placed, resized, etc. Virtual Network Functions
(VNFs) can belong to VNF chains, where nodes in a chain can serve multiple
demands coming from the network edges. In this paper, we formally define the
VNF placement and routing (VNF-PR) problem, proposing a versatile linear
programming formulation that is able to accommodate specific features and
constraints of NFV infrastructures, and that is substantially different from
existing virtual network embedding formulations in the state of the art. We
also design a math-heuristic able to scale with multiple objectives and large
instances. By extensive simulations, we draw conclusions on the trade-off
achievable between classical traffic engineering (TE) and NFV infrastructure
efficiency goals, evaluating both Internet access and Virtual Private Network
(VPN) demands. We do also quantitatively compare the performance of our VNF-PR
heuristic with the classical Virtual Network Embedding (VNE) approach proposed
for NFV orchestration, showing the computational differences, and how our
approach can provide a more stable and closer-to-optimum solution
Let there be Chaining: How to Augment your IGP to Chain your Services
Ever since Network Functions Virtualization has replaced dedicated appliances, ISPs have been able to add a degree of flexibility in their traffic engineering. However, it also has increased the complexity of the optimization problem, because it is now necessary to place virtual functions and route traffic jointly. Insofar, a logically centralized approach has been taken, where a so-called orchestrator, having full knowledge of the network, the virtual functions, and the traffic, run complex algorithms to find a suitable solution to the problem. The outcome of the algorithms are then translated to network configurations to be pushed to all of the appliances. We argue that there is no need to fully centralize every decision, rather we can leverage existing network intelligence to achieve the same goal. In particular we propose to augment the routing layer with the notion of services, so to rely on the robustness and scalability of Interior Gateway Protocols (IGP). Our solution leverages on existing distributed routing protocols where, in addition, autonomous nodes announce information about the virtual services they provide. Our design is modular and incrementally deployable and has been implemented in what we call a NFV Router. In our evaluation, we show that (i) NFV Routers distributed chaining decisions are close to optimal centrally-computed paths, (ii) on a large scale testbed deployment, NFV Routers efficiently steer traffic through chains and only add a small overhead to control traffic and (iii) our distributed system, because of its local control loop, has a faster reaction to network events than centralized solutions
StateSec: Stateful Monitoring for DDoS Protection in Software Defined Networks
To be presented at IEEE NetSoft, 3-7 July 2017, Bologna, ItalyInternational audienceSoftware-Defined Networking (SDN) allows for fast reactions to security threats by dynamically enforcing simple forwarding rules as countermeasures. However, in classic SDN all the intelligence resides at the controller, with the switches only capable of performing stateless forwarding as ruled by the controller. It follows that the controller, in addition to network management and control duties, must collect and process any piece of information required to take advanced (stateful) forwarding decisions. This threatens both to overload the controller and to congest the control channel. On the other hand, stateful SDN represents a new concept, developed both to improve reactivity and to offload the controller and the control channel by delegating local treatments to the switches. In this paper, we adopt this stateful paradigm to protect end-hosts from Distributed Denial of Service (DDoS). We propose StateSec, a novel approach based on in-switch processing capabilities to detect and mitigate DDoS attacks. StateSec monitors packets matching configurable traffic features (e.g., IP src/dst, port src/dst) without resorting to the controller. By feeding an entropy-based algorithm with such monitoring features, StateSec detects and mitigates several threats such as (D)DoS and port scans with high accuracy. We implemented StateSec and compared it with a state-of-the-art approach to monitor traffic in SDN. We show that StateSec is more efficient: it achieves very accurate detection levels, limiting at the same time the control plane overhead
On the Necessity of Accounting for Resiliency in SFC
International audienceWhen deploying network service function chains the focus is usually given on metrics such as the cost, the latency, or the energy and it is assumed that the underlying cloud infrastructure provides resiliency mechanisms to handle with the disruptions occurring in the physical infrastructure. In this position paper, we advocate that while usual performance metrics are essential to decide on the deployment of network service function chains, the notion of resiliency should not be neglected as the choice of virtual-to-physical placement may dramatically improve the ability of the service chains to handle with failures of the infrastructure without requiring complex resiliency mechanisms
Content Distribution and OpenFlow: a Reality Check
Demo at 2016 IEEE Conference on Network Function Virtualization and Software Defined Networks, 7-9 November 2016, Palo Alto, CA, USAWith the advent of virtualization and network function softwarization, the networking world shifts to Software Defined Networking (SDN). The OpenFlow protocol is one of the most suitable candidates to implement the SDN concept. In the meanwhile, the generalization of broadband Internet (mobile, cable, DSL, fiber etc.) has led to massive content consumption. However, while content is usually retrieved via layer 7 protocols, OpenFlow operations are performed at lower layers (layer 4 or lower) making the protocol completely ineffective to deal with content. To address this issue, we proposed and developed an API to manage content in OpenFlow networks. We implemented this API using open source software and study the impact of logical centralization suggested by SDN on network performances
Seamless content distribution with OpenFlow
International audienceWith the advent of virtualization and network function softwarization, the networking world shifts to Software Defined Networking (SDN) and OpenFlow is one of the most suitable candidates to implement the southbound API. In the meanwhile, the generalization of broadband Internet has led to massive content consumption. However, while content is usually retrieved via layer 7 protocols, OpenFlow operations are performed at lower layers (layer 4 or lower) making the protocol ineffective to deal with contents. To address this issue, we define an abstraction to unify network level and content level operations and present a straw-man logically centralized architecture proposal to support it. Our implementation demonstrates the feasibility of the solution and its advantage over fully centralized approach
Assessing RoQ Attacks on MANETs over Aware and Unaware TPC Techniques
Abstract-Adaptation mechanisms, such as transmission power control (TPC) techniques, cognitive radio technology and intelligent antenna, have been applied to efficiently manage the use of resources on wireless ad hoc networks. However, these mechanisms open doors for Reduction of Quality (RoQ) attacks. Those attacks damage network services exploiting adaptation capability and they can be easily launched on mobile ad hoc networks (MANETs). This paper assesses the influence of RoQ attacks on MANETs, aiming to provide insights and lead the design of control access mechanisms able to prevent or mitigate them. We evaluate MANETs supported by a modified IEEE 802.11 using unaware and aware TPC techniques. We analyze the impact of three types of RoQ attacks by simulations, and we show their effect over more dynamic aware TPC techniques
- …