Understanding Disruptive Monitoring Capabilities of Programmable Networks

International audienceThe design shift proposed by OpenFlow, with its simple stateless dataplane, initially contributed to the success of Software-Defined Networks. Its lack of state, however, prevents the implementation of many dataplane algorithms. Network applications must therefore offload stateful operations to the control plane, thereby increasing latency and limiting network scalability. Thus, recent research efforts centered on the addition of stateful properties to switches. In this paper, we discuss the impact of emerging programmable dataplane abstractions on network monitoring. In particular, we investigate the need for dataplane states in the design of scalable monitoring applications. We argue that these abstractions are ill-suited for software switches as they retain hardware-specific limitations. Furthermore, we analyse the impact of stateful dataplane designs on the control plane visibility of the network. Finally, we identify opportunities for improvement in the design of stateful software switches

Offloading Security Services to the Cloud Infrastructure

International audienceCloud applications rely on a diverse set of security services fromapplication-layer rate-limiting to TCP SYN cookies and applicationfirewalls. Some of these services are implemented at the infrastructurelayer, on the host or in the NIC, to filter attacks closer totheir source and free CPU cycles for the tenants’ applications. Mostsecurity services, however, remain difficult to implement at theinfrastructure layer because they are closely tied to the applicationsthey protect.In this paper, we propose to allow tenants to offload small filteringprograms to the infrastructure. We design a mechanism toensure fairness in resource consumption among tenants and showthat, by carefully probing specific points of the infrastructure, allresource consumption can be accounted for.We prototype our solution over the new high-performance datapathof Linux. Our preliminary experiments show that an offload tothe host’s CPU can bring a 4-6x performance improvement. In addition,fairness among tenants introduces an overhead of only 14%in the worst case and approximately 3% for realistic applications

Oko: Extending Open vSwitch with Stateful Filters

International audienceWith the Software-Defined Networking paradigm, softwareswitches emerged as the new edge of datacenter networks.The widely adopted Open vSwitch implements the OpenFlowforwarding model; its simple match-action abstractioneases network management, while providing enough flexibilityto define complex forwarding pipelines. OpenFlow,however, cannot express the many packets processing algorithmsrequired for traffic measurement, network security, orcongestion diagnosis, as it lacks a persistent state and basicarithmetic and logic operations.This paper presents Oko, an extension of Open vSwitchthat enables runtime integration of stateful filtering andmonitoring functionalities based on Berkeley Packet Filter(BPF) programs into the OpenFlow pipeline. BPF programsattached to OpenFlow rules act as intelligent filters over packets,while leaving the packets unmodified. This approachenables the transparent extension of Open vSwitch’s flowcaching architecture, retaining its high-performance benefits.Furthermore, the use of BPF allows for safe runtimeextension and prevention of switch failures due to faultyprograms.We compare our implementation based on Open vSwitchDPDKto existing approaches with comparable fault isolationproperties and measure a near 2x improvement of performance

Plans de données logiciels pour les traitements réseaux en environnements partagés

Multi-tenant networks enable applications from multiple, isolated tenants to communicate over a shared set of underlying hardware resources. The isolation provided by these networks is enforced at the edge: end hosts demultiplex packets to the appropriate virtual machine, copy data across memory isolation boundaries, and encapsulate packets in tunnels to isolate traffic over the datacenter's physical network. Over the last few years, the growing demand for high performance network interfaces has pressured cloud providers to build more efficient multi-tenant networks. While many turn to specialized, hard-to-upgrade hardware devices to achieve high performance, in this thesis, we argue that significant performance improvements are attainable in end-host multi-tenant networks, using commodity hardware. We advocate for a consolidation of network functions on the host and an offload of specific tenant network functions to the host. To that end, we design Oko, an extensible software switch that eases the consolidation of network functions. Oko includes an extended flow caching algorithm to support its runtime extension with limited overhead. Extensions are isolated from the software switch to prevent failures on the path of packets. By avoiding costly redirections to separate processes and virtual machines, Oko halves the running cost of network functions on average. We then design a framework to enable tenants to offload network functions to the host. Executing tenant network functions on the host promises large performance improvements, but raises evident isolation concerns. We extend the technique used in Oko to provide memory isolation and devise a mechanism to fairly share the CPU among offloaded network functions with limited interruptions.En environnement multi-tenant, les réseaux s'appuient sur un ensemble de ressources matérielles partagées pour permettre à des applications isolés de communiquer avec leurs clients. Cette isolation est garantie par un ensemble de mécanismes à la bordure des réseaux: les mêmes serveurs hébergeant les machines virtuelles doivent notamment déterminer le destinataire approprié pour chaque paquet réseau, copier ces derniers entre zones mémoires isolées et supporter les tunnels permettant l'isolation du trafic lors de son transit sur le coeur de réseau. Ces différentes tâches doivent être accomplies avec aussi peu de ressources matérielles que possible, ces dernières étant tout d'abord destinées aux machines virtuelles. Dans un contexte d'intensification de la demande en haute performance sur les réseaux, les acteurs de l'informatique en nuage ont souvent recours à des équipements matériels spécialisés mais inflexibles, leur permettant d'atteindre les performances requises. Néanmoins, dans cette thèse, nous défendons la possibilité d'améliorer les performances significativement sans avoir recours à de tels équipements. Nous prônons, d'une part, une consolidation des fonctions réseaux au niveau de la couche de virtualisation et, d'autre part, une relocalisation de certaines fonctions réseaux hors des machines virtuelles. À cette fin, nous proposons Oko, un commutateur logiciel extensible qui facilite la consolidation des fonctions réseaux dans la couche de virtualisation. Oko étend les mécanismes de l'état de l'art permettant une mise en cache des règles de commutateurs, ceci afin de permettre une exécution des fonctions réseaux sous forme d'extensions au commutateur. De plus, les extensions sont isolées du coeur du commutateur afin d'empêcher des fautes dans les extensions d'impacter le reste du réseau et de faciliter une mise en place rapide et sûre de nouvelles fonctions réseaux. En permettant aux fonctions réseaux de s'exécuter au sein du commutateur logiciel, sans redirections vers des processus distincts, Oko diminue de moitié le coût lié à l'exécution des fonctions réseaux en moyenne. Notre seconde contribution vise à permettre une exécution de certaines fonctions réseaux en amont des machines virtuelles, au sein de la couche de virtualisation. L'exécution de ces fonctions réseaux hors des machines virtuelles permet d'importants gains de performance, mais lèvent des problématiques d'isolation. Nous réutilisons et améliorons la technique utilisé dans Oko pour isoler les fonctions réseaux et l'étendons avec un mécanisme de partage équitable du temps CPU entre les différentes fonctions réseaux relocalisées

Virtual Network Functions Placement for Defense Against Distributed Denial of Service Attacks

International audienceIn this paper, we are interested in the problem of Virtual Network Function (NFV) placement to counter Distributed Denial of Service (DDoS) attacks. A DDoS attack is one of the most common and damaging types of cyberattacks. In Network Function Virtualization (NFV) technology network functions, more specifically security mechanisms, are implemented as software. Such approach significantly reduces the cost of the infrastructure and simplifies the deployment of new services. We propose two new models for this critical and complex problem. The first model is a mixed-integer linear program aiming at eliminating all DDos attacks before they reach their target. As its size grows exponentially with the network size, we propose a constraint generation algorithm to solve it. The numerical results obtained for different realistic network instances show the effectiveness of our approach. The second model is a bilevel programming problem that achieves a tradeoff between NFVs placement costs and security levels requirements. Our results show that this mechanisms overcomes DDos attacks by effectively filtering attacks while minimizing the total cost of deployed NFV

Time course of liver mitochondrial function and intrinsic changes in oxidative phosphorylation in a rat model of sepsis

International audienceBackground: Tissue ATP depletion and oxidative stress have been associated with the severe outcomes of septic shock. One of the compensatory mechanisms to alleviate the sepsis-induced mitochondrial dysfunction could be the increase in oxidative phosphorylation efficiency (ATP/O). We propose to study liver mitochondrial function and oxidative stress and the regulatory mechanism of mitochondrial oxidative phosphorylation efficiency in an animal model of sepsis.Methods: We induced sepsis in rats by cecal ligation and perforation (CLP). Six, 24, or 36 h following CLP, we measured liver mitochondrial respiration, cytochrome c oxidase activity, and membrane permeability. We determine oxidative phosphorylation efficiency, by measuring ATP synthesis related to oxygen consumption at various exogenous ADP concentrations. Finally, we measured radical oxygen species (ROS) generation by liver mitochondria and mRNA concentrations of UCP2, biogenesis factors, and cytokines at the same end points.Results: CLP rats presented hypotension, lactic acidosis, liver cytolysis, and upregulation of proinflammatory cytokines mRNA as compared to controls. Liver mitochondria showed a decrease in ATP synthesis and oxygen consumption at 24 h following CLP. A marked uncoupling of oxidative phosphorylation appeared 36 h following CLP and was associated with a decrease in cytochrome c oxidase activity and content and ATP synthase subunit β content (slip mechanism) and an increase in mitochondrial oligomycin-insensitive respiration, but no change in mitochondrial inner membrane permeability (no leak). Upregulation of UCP2 mRNA resulted in a decrease in mitochondrial ROS generation 24 h after the onset of CLP, whereas ROS over-generation associated with slip at cytochrome c oxidase observed at 36 h was concomitant with a decrease in UCP2 mRNA expression.Conclusions: Despite a compensatory increase in mitochondrial biogenesis factors, liver mitochondrial functions remain altered after CLP. This suggests that the functional compensatory mechanisms reported in the present study (slip at cytochrome c oxidase and biogenesis factors) were not strong enough to increase oxidative phosphorylation efficiency and failed to limit liver mitochondrial ROS over-generation. These data suggest that treatments based on cytochrome c infusion could have a role in mitochondrial dysfunction and/or ROS generation associated with sepsis

Gene targeting in maize by somatic ectopic recombination

International audienceLow transformation efficiency and high background of non-targeted events are major constraints to gene targeting in plants. We demonstrate here applicability in maize of a system that reduces the constraint from transformation efficiency. The system requires regenerable transformants in which all of the following elements are stably integrated in the genome: (i) donor DNA with the gene of interest adjacent to sequence for repair of a defective selectable marker, (ii) sequence encoding a rare-cutting endonuclease such as I-SceI, (iii) a target locus (TL) comprising the defective selectable marker and I-SceI cleavage site. Typically, this requires additional markers for the integration of the donor and target sequences, which may be assembled through cross-pollination of separate transformants. Inducible expression of I-SceI then cleaves the TL and facilitates homologous recombination, which is assayed by selection for the repaired marker. We used bar and gfp markers to identify assembled transformants, a dexamethasone-inducible I-SceI::GR protein, and selection for recombination events that restored an intact nptII. Applying this strategy to callus permitted the selection of recombination into the TL at a frequency of 0.085% per extracted immature embryo (29% of recombinants). Our results also indicate that excision of the donor locus (DL) through the use of flanking I-SceI cleavage sites may be unnecessary, and a source of unwanted repair events at the DL. The system allows production, from each assembled transformant, of many cells that subsequently can be treated to induce gene targeting. This may facilitate gene targeting in plant species for which transformation efficiencies are otherwise limiting