CherryPick: Tracing Packet Trajectory in Software-defined Datacenter Networks

SDN-enabled datacenter network management and debugging can benefit by the ability to trace packet trajectories. For ex-ample, such a functionality allows measuring traffic matrix, de-tecting traffic anomalies, localizing network faults, etc. Exist-ing techniques for tracing packet trajectories require either large data collection overhead or large amount of data plane resources such as switch flow rules and packet header space. We present CherryPick, a scalable, yet simple technique for tracing packet trajectories. The core idea of our technique is to cherry-pick the links that are key to representing an end-to-end path of a packet, and to embed them into its header on its way to destination. Pre-liminary evaluation on a fat-tree topology shows that CherryPick requires minimal switch flow rules, while using header space close to state-of-the-art techniques

Choreo: network-aware task placement for cloud applications

Cloud computing infrastructures are increasingly being used by network-intensive applications that transfer significant amounts of data between the nodes on which they run. This paper shows that tenants can do a better job placing applications by understanding the underlying cloud network as well as the demands of the applications. To do so, tenants must be able to quickly and accurately measure the cloud network and profile their applications, and then use a network-aware placement method to place applications. This paper describes Choreo, a system that solves these problems. Our experiments measure Amazon's EC2 and Rackspace networks and use three weeks of network data from applications running on the HP Cloud network. We find that Choreo reduces application completion time by an average of 8%-14% (max improvement: 61%) when applications are placed all at once, and 22%-43% (max improvement: 79%) when they arrive in real-time, compared to alternative placement schemes.National Science Foundation (U.S.) (Grant 0645960)National Science Foundation (U.S.) (Grant 1065219)National Science Foundation (U.S.) (Grant 1040072

Compiling Path Queries in Software-Defined Networks

Monitoring the flow of traffic along network paths is essential for SDN programming and troubleshooting. For example, traffic engineering requires measuring the ingress-egress traffic matrix; debugging a congested link requires determining the set of sources sending traffic through that link; and locating a faulty device might involve detecting how far along a path the traffic makes progress. Past path-based monitoring systems operate by diverting packets to collectors that perform “after-the-fact ” analysis, at the expense of large data-collection overhead. In this paper, we show how to do more efficient “during-the-fact ” analysis. We introduce a query language that allows each SDN application to specify queries independently of the forwarding state or the queries of other applications. The queries use a regular-expressionbased path language that includes SQL-like “groupby ” constructs for count aggregation. We track the packet trajectory directly on the data plane by converting the regular expressions into an automaton, and tagging the automaton state (i.e., the path prefix) in each packet as it progresses through the network. The SDN policies that implement the path queries can be combined with arbitrary packetforwarding policies supplied by other elements of the SDN platform. A preliminary evaluation of our prototype shows that our “during-the-fact ” strategy reduces data-collection overhead over “after-the-fact ” strategies

Flow-based load balancing in multipathed layer-2 networks using OpenFlow and multipath-TCP

In this paper we address the challenge of traffic optimization for big data flows in layer-2 networks. We present an OpenFlow controller implementation that removes the necessity of a Spanning Tree Protocol, allows for the usage of multiple paths, and enables in-network per-flow load balancing. Moreover, we demonstrate how systems deploying Multipath-TCP can benefit from our solution

WedgeTail: an intrusion prevention system for the data plane of software defined networks

Networks are vulnerable to disruptions caused by malicious forwarding devices. The situation is likely to worsen in Software Defined Networks (SDNs) with the incompatibility of existing solutions, use of programmable soft switches and the potential of bringing down an entire network through compromised forwarding devices. In this paper, we present WedgeTail, an Intrusion Prevention System (IPS) designed to secure the SDN data plane. WedgeTail regards forwarding devices as points within a geometric space and stores the path packets take when traversing the network as trajectories. To be efficient, it prioritizes forwarding devices before inspection using an unsupervised trajectory-based sampling mechanism. For each of the forwarding device, WedgeTail computes the expected and actual trajectories of packets and `hunts' for any forwarding device not processing packets as expected. Compared to related work, WedgeTail is also capable of distinguishing between malicious actions such as packet drop and generation. Moreover, WedgeTail employs a radically different methodology that enables detecting threats autonomously. In fact, it has no reliance on pre-defined rules by an administrator and may be easily imported to protect SDN networks with different setups, forwarding devices, and controllers. We have evaluated WedgeTail in simulated environments, and it has been capable of detecting and responding to all implanted malicious forwarding devices within a reasonable time-frame. We report on the design, implementation, and evaluation of WedgeTail in this manuscript.Comment: Accepted to ASIACCS - Final version, Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security. ACM, 201

Isolating and Tolerating SDN Application Failures with LegoSDN

Despite software-defined networking's proven benefits, there remains a significant reluctance in adopting it. Among the issues that hamper SDN's adoption, two issues stand out: reliability and fault tolerance. At the heart of these issues is a set of fate-sharing relationships: the first between the SDN control applications and controllers, wherein the crash of the former induces a crash of the latter, thereby affecting the controller's availability; and, the second between the SDN-Apps and the network, wherein the failure of the former violates network safety, e.g., network-loops, or network availability, e.g., black holes.In this paper, we argue for a redesign of the controller architecture centering around a set of abstractions to eliminate these fate-sharing relationships and thus improve the controller's availability. We present a prototype implementation of a framework, called LegoSDN, that embodies our abstractions, and we demonstrate the benefits of our abstractions by evaluating LegoSDN on an emulated network with five real SDN-Apps. Our evaluations show that LegoSDN can recover failed SDN-Apps 3x faster than controller reboots while simultaneously preventing policy violations