Resource Management in Softwarized Networks

Communication networks are undergoing a major transformation through softwarization, which is changing the way networks are designed, operated, and managed. Network Softwarization is an emerging paradigm where software controls the treatment of network flows, adds value to these flows by software processing, and orchestrates the on-demand creation of customized networks to meet the needs of customer applications. Software-Defined Networking (SDN), Network Function Virtualization (NFV), and Network Virtualization are three cornerstones of the overall transformation trend toward network softwarization. Together, they are empowering network operators to accelerate time-to-market for new services, diversify the supply chain for networking hardware and software, bringing the benefits of agility, economies of scale, and flexibility of cloud computing to networks. The enhanced programmability enabled by softwarization creates unique opportunities for adapting network resources in support of applications and users with diverse requirements. To effectively leverage the flexibility provided by softwarization and realize its full potential, it is of paramount importance to devise proper mechanisms for allocating resources to different applications and users and for monitoring their usage over time. The overarching goal of this dissertation is to advance state-of-the-art in how resources are allocated and monitored and build the foundation for effective resource management in softwarized networks. Specifically, we address four resource management challenges in three key enablers of network softwarization, namely SDN, NFV, and network virtualization. First, we challenge the current practice of realizing network services with monolithic software network functions and propose a microservice-based disaggregated architecture enabling finer-grained resource allocation and scaling. Then, we devise optimal solutions and scalable heuristics for establishing virtual networks with guaranteed bandwidth and guaranteed survivability against failure on multi-layer IP-over-Optical and single-layer IP substrate network, respectively. Finally, we propose adaptive sampling mechanisms for balancing the overhead of softwarized network monitoring and the accuracy of the network view constructed from monitoring data

LINT: Accuracy-adaptive and Lightweight In-band Network Telemetry

International audienceIn-band Network Telemetry (INT) has recently emerged as a means of achieving per-packet near real-time visibility into the network. INT capable network devices can directly embed device internal state such as packet processing time, queue occupancy and link utilization information in each passing packet. INT is enabling new network monitoring applications and is currently being used in production for providing fine-grained feedback to congestion control mechanisms. The microscopic network visibility facilitated by INT comes at the expense of increased data plane overhead. INT piggybacks telemetry information on user data traffic and can significantly increase packet size. A direct consequence of increasing packet size for carrying telemetry data is a substantial drop in network goodput. This paper aims at striking a balance between reducing INT data plane overhead and the accuracy of network view constructed from telemetry data. To this end, we propose LINT, an accuracy-adaptive and Lightweight INT mechanism that can be implemented on commodity programmable devices. Our evaluation of LINT using real network traces on a fat tree topology demonstrates that LINT can reduce INT data plane overhead by ≈25% while ensuring more than 0.9 recall for monitoring queries trying to identify congested flows and switches in the network

Non-intrusive and Workflow-aware Virtual Network Function Scheduling in User-space

International audienceThe simple programming model and very low-overhead I/O capabilities of emerging packet processing techniques leveraging kernel-bypass I/O and poll-mode processing is gaining significant popularity for building high performance software middleboxes (aka Virtual Network Functions (VNFs)). However, existing OS schedulers fall short in rightsizing CPU allocation to poll-mode VNFs due to the schedulers' shortcoming in capturing the actual processing cost of these VNFs. This issue is further exacerbated by their inability to consider VNF processing order when VNFs are chained to form Service Function Chains (SFCs). The state-of-the-art VNF schedulers proposed as an alternative to OS schedulers are intrusive, requiring the VNFs to be built with scheduler specific libraries or having carefully selected scheduling checkpoints. This highly restricts the VNFs that can properly work with these schedulers. In this paper, we present UNi S, a User-space Non-intrusive work-flow aware VNF Scheduler. Unlike existing approaches, UNiS is non-intrusive, i.e., does not require VNF modifications and treats poll-mode VNFs as black boxes. UNiS is also workflow-aware, i.e., takes SFC processing order into account while scheduling VNFs. Testbed experiments show that UNi S is able to achieve a throughput within 90% and 98% of that achievable using an intrusive cooperative scheduler for synthetic and real data center traffic, respectively

UNiS: A User-space Non-intrusive Workflow-aware Virtual Network Function Scheduler

International audienceNetwork Function Virtualization (NFV) has gained a significant research interest in both academia and industry since its inception in the late 2012. One of the key research issues in NFV is the development of systems for building Virtual Network Functions (VNFs) capable of meeting the erformance requirements of enterprise and telecommunication networks. New packet processing models leveraging kernel bypass I/O and poll-mode processing have gained popularity for building high performance VNFs because of their simple programming model and very low I/O overhead. However, a major drawback of such poll-mode processing is the inefficient use of CPU resources. Existing CPU schedulers are ill-suited for VNFs due to their inability to capture the actual processing cost of a poll-mode VNF, hence, cannot rightsize the CPU allocation. This is further exacerbated by their inability to consider VNF processing order when VNFs are chained to form Service Function Chains (SFCs). The state-of-the-art solutions proposed for VNF scheduling are intrusive, i.e., requiring the VNFs to be built with scheduler specific libraries or having carefully selected scheduling checkpoints. This highly restricts the VNFs that can properly work with such schedulers. In this paper, we present UNiS: a User-space Non-intrusivework-flow aware VNF Scheduler. Unlike existing approaches, UNiS does not require VNF modifications and treats the poll-mode VNFs as a black box, hence, is non-intrusive. UNiS is also workflow-aware, i.e., maintains SFC processing order while scheduling the VNFs. Testbed experiments show that UNiS is able to achieve a throughput within 90% (for synthetic traffic load) and 98% (for real data center traffic trace) of the achievable throughput using an intrusive co-operative scheduler

Defeating Protocol Abuse with P4: Application to Explicit Congestion Notification

International audienceIn recent years, programmable data planes enabled by the protocol independent switch architecture (PISA) allowed the relocation of network functions closer to traffic flows and thereby the ability to react in real-time to network events. However , expressing complex and stateful network monitoring functions using state-of-the-art data plane programming languages such as P4 still remain challenging. In this context, we propose a method for modeling a stateful security monitoring function as an Extended Finite State Machine (EFSM) and express the EFSM using P4 language abstractions. We demonstrate the feasibility and benefit of our proposed approach in detecting and mitigating Explicit Congestion Notification (ECN) protocol abuse without any TCP protocol modification. Our evaluation shows that the proposed security monitoring function can restore 24.67% throughput loss caused by misbehaving TCP end-hosts while ensuring fair share of bandwidth among TCP flows

SPONGE: Software-Defined Traffic Engineering to Absorb Influx of Network Traffic

International audienceExisting shortest path-based routing in wide area networks or equal cost multi-path routing in data center networks do not consider the load on the links while taking routing decisions. As a consequence, an influx of network traffic stemming from events such as distributed link flooding attacks and data shuffle during large scale analytics can congest network links despite the network having sufficient capacity on alternate paths to absorb the traffic. This can have several negative consequences, service unavailability, delayed flow completion, packet losses, among others. In this regard, we propose SPONGE, a traffic engineering mechanism for handling sudden influx of network traffic. SPONGE models the network as a stochastic process, takes the switch queue occupancy and traffic rate as inputs, and leverages the multiple available paths in the network to route traffic in a way that minimizes the overall packet loss in the network. We demonstrate the practicality of SPONGE through an OpenFlow based implementation, where we periodically and pro-actively reroute network traffic to the routes computed by SPONGE. Mininet emulations using real network topologies show that SPONGE is capable of reducing packet drops by 20% on average even when the network is highly loaded because of an ongoing link flooding attack

Mitigating TCP Protocol Misuse With Programmable Data Planes

International audienceThis paper proposes a new approach for detecting and mitigating the impact of misbehaving TCP end-hosts, specifically the Optimistic ACK attack, and Explicit Congestion Notification (ECN) abuse. In contrast to the state-of-the-art, we show that it is possible to mitigate such misbehavior leveraging emerging programmable data planes while not requiring any end-host or protocol modifications. A key challenge in doing so is to implement expressive, complex and stateful functions in the data plane within its restricted programming model. In this regard, we propose a security monitoring function that uses Extended Finite State Machine (EFSM) abstraction for monitoring stateful protocols in the data plane. We also design a mechanism for mapping a protocol's EFSM to programmable data plane primitives. Our evaluation results demonstrate that our approach can fully or partially restore the throughput loss caused by misbehaving end-hosts that manipulate TCP congestion control through misinformation