Global ETD Search

1	Improving the flexibility of DPDK Service Cores / Förbättring av flexibiliteten hos DPDK Service Cores Blazevic, Denis Ivan, Jansson, Magnus January 2019 (has links) Data Plane Development Kit is a highly used library for creating network applications that can be run on all hardware. Data Plane Development Kit has a component called Service Cores, which allows the main applications to create services that will run independently. These services are manually mapped to specific CPU cores, and are scheduled in a round-robin method. Because of the manual mapping, and the scheduling, the different load for each service can impact the start time for each service. By having services not run when supposed to, the throughput will degrade. In this thesis, we investigate and try to solve the issue by implementing a basic load balancer into the Service Core component. Our results show that an basic load balancer, that will balance upon reaching a CPU upper threshold, will increase the throughput of services while decreasing the delay between each service run. dpdk load balancer service core service cores data plane development kit dpdk lastbalanserare data plane development kit Computer Systems Datorsystem
2	Une approche modulaire avec délégation de contrôle pour les réseaux programmables / Towards network softwarization : a modular approach for network control delegation Soni, Hardik 20 April 2018 (has links) Les opérateurs de réseau sont confrontés à de grands défis en termes de coût et de complexité pour intégrer les nouvelles technologies de communication (e.g., 4G, 5G, fibre optique) et pour répondre aux demandes croissantes des nouveaux services réseau adaptés aux nouveaux cas d’utilisation. La "softwarization" des opérations réseau à l'aide des paradigmes SDN (Software Defined Networking) et NFV (Network Function Virtualization) est en mesure de simplifier le contrôle et la gestion des réseaux et de fournir des services réseau de manière efficace. Les réseaux programmables SDN permettent de dissocier le plan de contrôle du plan de données et de centraliser le plan de contrôle pour simplifier la gestion du réseau et obtenir une vision globale. Cependant, ceci amène des problèmes de passage à l'échelle difficiles à résoudre. Par ailleurs, en dissociant la partie matérielle de la partie logicielle des routeurs, NFV permet d'implanter de manière flexible et à moindre coût toutes sortes de fonctions réseau. La contrepartie est une dégradation des performances due à l'implantation en logiciel des fonctions réseau qui sont déportées des routeurs. Pour aborder les problèmes de passage à l'échelle et de performance des paradigmes SDN/NFV, nous proposons dans la première partie de la thèse, une architecture modulaire de gestion et de contrôle du réseau, dans laquelle le contrôleur SDN délègue une partie de ses responsabilités à des fonctions réseau spécifiques qui sont instanciées à des emplacements stratégiques de l'infrastructure réseau. Nous avons choisi un exemple d'application de streaming vidéo en direct (comme Facebook Live ou Periscope) utilisant un service de multicast IP car il illustre bien les problèmes de passage à l'échelle des réseaux programmables. Notre solution exploite les avantages du paradigme NFV pour résoudre le problème de scalabilité du plan de contrôle centralisé SDN en délégant le traitement du trafic de contrôle propre au service multicast à des fonctions réseau spécifiques (appelées MNF) implantées en logiciel et exécutées dans un environnement NFV localisé à la périphérie du réseau. Notre approche fournit une gestion flexible des groupes multicast qui passe à l'échelle. De plus, elle permet de bénéficier de la vision globale du contrôle centralisé apportée par SDN pour déployer de nouvelles politiques d'ingénierie du trafic comme L2BM (Lazy Load Balance Multicast) dans les réseaux de fournisseurs d’accès à Internet (FAI) programmables. L'évaluation de cette approche est délicate à mettre en œuvre car la communauté de recherche ne dispose pas facilement d'infrastructure SDN à grande échelle réaliste. Pour évaluer notre solution, nous avons élaboré l'outil DiG qui permet d'exploiter l'énorme quantité de ressources disponibles dans une grille de calcul, pour émuler facilement de tels environnements. DiG prend en compte les contraintes physiques (mémoire, CPU, capacité des liens) pour fournir un environnement d'évaluation réaliste et paramétrable avec des conditions contrôlées. La solution que nous proposons délègue le contrôle et la gestion du réseau concernant le service de multicast aux fonctions spécifiques MNF exécutées dans un environnement NFV. Idéalement, pour davantage d'efficacité, toutes ces fonctions spécifiques devraient être implantées directement au sein des routeurs avec du hardware programmable mais cela nécessite que ces nouveaux routeurs puissent exécuter de manière indépendante plusieurs fonctions réseau à la fois. Le langage de programmation P4 est une technologie prometteuse pour programmer le traitement des paquets de données dans les routeurs programmables (hardware et logiciels). / Network operators are facing great challenges in terms of cost and complexity in order to incorporate new communication technologies (e.g., 4G, 5G, fiber) and to keep up with increasing demands of new network services to address emerging use cases. Softwarizing the network operations using SoftwareDefined Networking (SDN) and Network Function Virtualization (NFV) paradigms can simplify control and management of networks and provide network services in a cost effective way. SDN decouples control and data traffic processing in the network and centralizes the control traffic processing to simplify the network management, but may face scalability issues due to the same reasons. NFV decouples hardware and software of network appliances for cost effective operations of network services, but faces performance degradation issues due to data traffic processing in software. In order to address scalability and performance issues in SDN/NFV, we propose in the first part of the thesis, a modular network control and management architecture, in which the SDN controller delegates part of its responsibilities to specific network functions instantiated in network devices at strategic locations in the infrastructure. We have chosen to focus on a modern application using an IP multicast service for live video streaming applications (e.g., Facebook Live or Periscope) that illustrates well the SDN scalability problems. Our solution exploits benefits of the NFV paradigm to address the scalability issue of centralized SDN control plane by offloading processing of multicast service specific control traffic to Multicast Network Functions (MNFs) implemented in software and executed in NFV environment at the edge of the network. Our approach provides smart, flexible and scalable group management and leverages centralized control of SDN for Lazy Load Balance Multicast (L2BM) traffic engineering policy in software defined ISP networks. Evaluation of this approach is tricky, as real world SDN testbeds are costly and not easily available for the research community. So, we designed a tool that leverages the huge amount of resources available in the grid, to easily emulate such scenarios. Our tool, called DiG, takes into account the physical resources (memory, CPU, link capacity) constraints to provide a realistic evaluation environment with controlled conditions. Our NFV-based approach requires multiple application specific functions (e.g., MNFs) to control and manage the network devices and process the related data traffic in an independent way. Ideally, these specific functions should be implemented directly on hardware programmable routers. In this case, new routers must be able to execute multiple independently developed programs. Packet-level programming language P4, one of the promising SDN-enabling technologies, allows applications to program their data traffic processing on P4 compatible network devices. In the second part of the thesis, we propose a novel approach to deploy and execute multiple independently developed and compiled applications programs on the same network device. This solution, called P4Bricks, allows multiple applications to control and manage their data traffic, independently. P4Bricks merges programmable blocks (parsers/deparsers and packet processing pipelines) of P4 programs according to processing semantics (parallel or sequential) provided at the time of deployment. Réseaux programmables SDN NFV Multicast Plan de données modulaire P4 Composition du programme réseau Network softwarization SDN NFV Multicast Data plane programming Modular data plane P4 Network program composition
3	Towards Machine Learning Inference in the Data Plane Langlet, Jonatan January 2019 (has links) Recently, machine learning has been considered an important tool for various networkingrelated use cases such as intrusion detection, flow classification, etc. Traditionally, machinelearning based classification algorithms run on dedicated machines that are outside of thefast path, e.g. on Deep Packet Inspection boxes, etc. This imposes additional latency inorder to detect threats or classify the flows.With the recent advance of programmable data planes, implementing advanced function-ality directly in the fast path is now a possibility. In this thesis, we propose to implementArtificial Neural Network inference together with flow metadata extraction directly in thedata plane of P4 programmable switches, routers, or Network Interface Cards (NICs).We design a P4 pipeline, optimize the memory and computational operations for our dataplane target, a programmable NIC with Micro-C external support. The results show thatneural networks of a reasonable size (i.e. 3 hidden layers with 30 neurons each) can pro-cess flows totaling over a million packets per second, while the packet latency impact fromextracting a total of 46 features is 1.85μs. Computer Sciences Datavetenskap (datalogi)
4	Securing SDN Data Plane:Investigating the effects of IP SpoofingAttacks on SDN Switches and its Mitigation : Simulation of IP spoofing using Mininet JABBU, SHIVAKUMAR YADAV, MADIRAJU, ANIRUDH SAI January 2023 (has links) Background:Software-Defined Networking (SDN) represents a network architecture that offers a separate control and data layer, facilitating its rapid deployment and utilization for diverse purposes. However, despite its ease of implementation, SDN is susceptible to numerous security attacks, primarily stemming from its centralized nature. Among these threats, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks pose the most substantial risks. In the event of a successful attack on the SDNcontroller, the entire network may suffer significant disruption. Hence, safe guarding the controller becomes crucial to ensure the integrity and availability of the SDN network. Objectives:This thesis focuses on examining the IP spoofing attack and its impact on the Data Plane, particularly concerning the metrics of an SDN switch. The investigation centers around attacks that manipulate flow-rules to amplify the number of rules and deplete the resources of a switch within the Data Plane of an SDN network. To conduct the study, a software-defined network architecture was constructed using Mininet, with a Ryu controller employed for managing network operations. Various experiments were carried out to observe the response of the SDN system when subjected to an IP spoofing attack, aiming to identify potential mitigation strategies against such threats. Method and Results: To simulate the resource exhaustion scenario on the SDN network’s Data Plane,we deliberately triggered an escalation in the number of flow-rules installed in the switch. This was achieved by sending packets with spoofed IP addresses, there by exploiting the switch’s limited resources. Specifically, we focused on monitoring the impact on CPU utilization, storage memory, latency, and throughput within the switch. Detailed findings were presented in the form of tables, accompanied by graphical representations to visually illustrate the effects of increasing flow rules on the switches. Furthermore, we explored potential mitigation measures by developing an application that actively monitors the flow rules on the Ryu controller, aiming to detect and counteract such resource-exhausting effects. Software Defined Networking IP Spoofing Flooding DDoS Attacks Data Plane Mininet Telecommunications Telekommunikation
5	PERFORMANCE ANALYSIS OF SOFTWARE DEFINED NETWORKCONCEPTS IN NETWORKED EMBEDDED SYSTEMS Elamin, Mohamed January 2017 (has links) No description available. Engineering
6	Design and Implementation of an Architecture-aware In-memory Key- Value Store Giordano, Omar January 2021 (has links) Key-Value Stores (KVSs) are a type of non-relational databases whose data is represented as a key-value pair and are often used to represent cache and session data storage. Among them, Memcached is one of the most popular ones, as it is widely used in various Internet services such as social networks and streaming platforms. Given the continuous and increasingly rapid growth of networked devices that use these services, the commodity hardware on which the databases are based must process packets faster to meet the needs of the market. However, in recent years, the performance improvements characterising the new hardware has become thinner and thinner. From here, as the purchase of new products is no longer synonymous with significant performance improvements, companies need to exploit the full potential of the hardware already in their possession, consequently postponing the purchase of more recent hardware. One of the latest ideas for increasing the performance of commodity hardware is the use of slice-aware memory management. This technique exploits the Last Level of Cache (LLC) by making sure that the individual cores take data from memory locations that are mapped to their respective cache portions (i.e., LLC slices). This thesis focuses on the realisation of a KVS prototype—based on Intel Haswell micro-architecture—built on top of the Data Plane Development Kit (DPDK), and to which the principles of slice-aware memory management are applied. To test its performance, given the non-existence of a DPDKbased traffic generator that supports the Memcached protocol, an additional prototype of a traffic generator that supports these features has also been developed. The performances were measured using two distinct machines: one for the traffic generator and one for the KVS. First, the “regular” KVS prototype was tested, then, to see the actual benefits, the slice-aware one. Both KVS prototypeswere subjected to two types of traffic: (i) uniformtraffic where the keys are always different from each other, and (ii) skewed traffic, where keys are repeated and some keys are more likely to be repeated than others. The experiments show that, in real-world scenario (i.e., characterised by skewed key distributions), the employment of a slice-aware memory management technique in a KVS can slightly improve the end-to-end latency (i.e.,~2%). Additionally, such technique highly impacts the look-up time required by the CPU to find the key and the corresponding value in the database, decreasing the mean time by ~22.5%, and improving the 99th percentile by ~62.7%. / Key-Value Stores (KVSs) är en typ av icke-relationsdatabaser vars data representeras som ett nyckel-värdepar och används ofta för att representera lagring av cache och session. Bland dem är Memcached en av de mest populära, eftersom den används ofta i olika internettjänster som sociala nätverk och strömmande plattformar. Med tanke på den kontinuerliga och allt snabbare tillväxten av nätverksenheter som använder dessa tjänster måste den råvaruhårdvara som databaserna bygger på bearbeta paket snabbare för att möta marknadens behov. Under de senaste åren har dock prestandaförbättringarna som kännetecknar den nya hårdvaran blivit tunnare och tunnare. Härifrån, eftersom inköp av nya produkter inte längre är synonymt med betydande prestandaförbättringar, måste företagen utnyttja den fulla potentialen för hårdvaran som redan finns i deras besittning, vilket skjuter upp köpet av nyare hårdvara. En av de senaste idéerna för att öka prestanda för råvaruhårdvara är användningen av skivmedveten minneshantering. Denna teknik utnyttjar den Sista Nivån av Cache (SNC) genom att se till att de enskilda kärnorna tar data från minnesplatser som är mappade till deras respektive cachepartier (dvs. SNCskivor). Denna avhandling fokuserar på förverkligandet av en KVS-prototyp— baserad på Intel Haswell mikroarkitektur—byggd ovanpå Data Plane Development Kit (DPDK), och på vilken principerna för skivmedveten minneshantering tillämpas. För att testa dess prestanda, med tanke på att det inte finns en DPDK-baserad trafikgenerator som stöder Memcachedprotokollet, har en ytterligare prototyp av en trafikgenerator som stöder dessa funktioner också utvecklats. Föreställningarna mättes med två olika maskiner: en för trafikgeneratorn och en för KVS. Först testades den “vanliga” KVSprototypen, för att se de faktiska fördelarna, den skivmedvetna. Båda KVSprototyperna utsattes för två typer av trafik: (i) enhetlig trafik där nycklarna alltid skiljer sig från varandra och (ii) sned trafik, där nycklar upprepas och vissa nycklar är mer benägna att upprepas än andra. Experimenten visar att i verkliga scenarier (dvs. kännetecknas av snedställda nyckelfördelningar) kan användningen av en skivmedveten minneshanteringsteknik i en KVS förbättra förbättringen från slut till slut (dvs. ~2%). Dessutom påverkar sådan teknik i hög grad uppslagstiden som krävs av CPU: n för att hitta nyckeln och motsvarande värde i databasen, vilket minskar medeltiden med ~22, 5% och förbättrar 99th percentilen med ~62, 7%. Key-Value Store Data Plane Development Kit Last Level of Cache Sliceaware memory management Memcached Haswell microrchitecture. Key-Value Store Data Plane Development Kit Sista Nivån av Cache Skivmedveten Minneshantering Memcached Haswell mikroarkitektur. Computer and Information Sciences Data- och informationsvetenskap
7	On the Feasibility of Deploying Highly Resilient Data Plane Forwarding Mechanisms Using Programmable Switches Lindbøl Bjørseth, Henrik January 2019 (has links) Network downtime is costly for providers of information technology services. One cause of network downtime is link failures. The control plane of the network is the entity responsible for ensuring connectivity upon link failures. The data plane of the network forwards packets at line speed and it is controlled by the control plane. One disadvantage of ensuring connectivity at the control plane level is the time needed to react to a failure. The control plane is several orders of magnitude slower than the data plane. Moving the connectivity responsibility to the quicker data plane has therefore the potential to reduce network downtime. This work explored what level of connectivity robustness can be achieved when implementing data plane connectivity algorithms in today’s high-speed speed programmable switches. A literature study of several data plane connectivity algorithms was conducted. A critical aspect considered in this study was the simplicity of the data plane connectivity mechanism as high-speed programmable switches cannot support arbitrarily complex forwarding function. Data-Driven Connectivity (DDC) was selected as a suitable algorithm due to its high guaranteed connectivity and algorithmic simplicity. DDC was implemented in a virtual network environment using P4 programmable software switches. Our solution automates the generation of the virtual network based on a topology description. It also initializes the switches and generates the specific DDC P4 code for each switch. All the functions of DDC P4 have been tested to verify that each function behaved as expected. The path optimality of DDC P4 after several link failures were evaluated on the emulated Google’s wide area network topology, called B4 (2011). The path optimality evaluation shows that the path stretch of DDC P4, i.e., the gap from the shortest path in the number of hops, is not optimal for about 30% of the possible source/destination node pairs in the topology. The throughput of the DDC P4 was also evaluated along different number of link failures. The throughput results show a linear decrease in steps of 0.4 Mbps depending on which outbound link was utilized, starting from a throughput of 6.3 Mbps in the absence of failures. The current DDC P4 implementation does not scale well due to duplicate code for each destination in the topology. Both improving the scalability of the current implementation and an implementation on a hardware programmable switch remain as future work. / Avbrott i nätverket är kostsamt för leverantörer av informationsteknologitjänster. En orsak till avbrott är länkfel. Nätverkets textit kontrollplan är den entitet som ansvarar för att säkerställa anslutning vid länkfel. Nätverkets textit dataplan vidarebefordrar paket så snabbt som nätverkslänken klarar av, och det styrs av kontrollplanet. En nackdel med att säkerställa anslutning i kontrollplanet är den tid som krävs för att reagera på ett fel. Kontrollplanet är många gånger långsammare än dataplanet. Att flytta anslutningsansvaret till det snabbare dataplanet kan därför korta ner avbrotten i nätverket. Detta arbete undersökte vilken nivå av robusthet i anslutningsbarheten som kanuppnås vid implementering av algoritmer för anslutningsbarhet i dataplanet i dagens programmerbara höghastighetsswitchar. En litteraturstudie av flera dataplananslutningsalgoritmergenomfördes. En kritisk aspekt som beaktades i denna studie var enkelheten i dataplananslutningsmekanismen eftersom programmerbara höghastighetsswitchar inte kan stödja godtyckligt komplex vidarebefordringsfunktion. Datadriven anslutningsbarhet (DDC) valdes som en lämpligalgoritm på grund av dess höga garanterade anslutningsbarhet och algoritmiska enkelhet. DDC implementerades i en virtuell nätverksmiljö med P4-programmerbara mjukvaruswitchar. Vår lösning automatiserar genereringen av det virtuella nätverket baserat på en topologibeskrivning.Den initialiserar också switcharna och genererar den specifika DDC P4-koden för varje switch. Alla funktioner i DDC P4 har testats för att verifiera att varje funktion uppträdde som förväntat. Sökvägsoptimaliteten för DDC P4 efter flera länkfel utvärderades på Googles emulerade Wide Area Network (WAN), kallad B4 (2011). Bedömningen av sökvägsoptimaliteten visar att vägsträckningen för DDC P4, textit d.v.s., avståndet från den kortaste vägen i antalet hopp, inte är optimal för cirka 30 % av de möjliga ursprungs-/ destinationsnodparna i topologin. Genomströmningen av DDC P4 utvärderades också utifrån olika antal länkfel. Genomströmningsresultaten visar en linjär minskning i steg på 0,4 Mbps beroende på vilken utgående länk som användes, med utgångspunkt från en genomströmning på 6,3 Mbps vid frånvaro av fel. Den nuvarande DDC P4-implementeringen skalas inte bra på grund av duplicerad kod för varje destination i topologin. Både förbättring av skalbarheten för den nuvarande implementeringen och en implementering av en hårdvaruprogrammerbar switch kvarstår som framtida arbete. Network Robustness Connectivity Data Plane Data-Driven Connectivity (DDC). Elektroteknik och elektronik
8	Diffuser: Packet Spraying While Maintaining Order : Distributed Event Scheduler for Maintaining Packet Order while Packet Spraying in DPDK / Diffusor: Packet Spraying While Upprätthålla Ordning : Distribuerad händelseschemaläggare för att upprätthålla paketordning medan Paketsprutning i DPDK Purushotham Srinivas, Vignesh January 2023 (has links) The demand for high-speed networking applications has made Network Processors (NPs) and Central Computing Units (CPUs) increasingly parallel and complex, containing numerous on-chip processing cores. This parallelism can only be exploited fully by the underlying packet scheduler by efficiently utilizing all the available cores. Classically, packets have been directed towards the processing cores at flow granularity, making them susceptible to traffic locality. Ensuring a good load balance among the processors improves the application’s throughput and packet loss characteristics. Hence, packet-level schedulers dispatch flows to the processing core at a packet granularity to improve the load balance. However, packet-level scheduling combined with advanced parallelism introduces out-of-order departure of the processed packets. Simultaneously optimizing both the load balance and packet order is challenging. In this degree project, we micro-benchmark the DPDK’s (Dataplane Development Kit) event scheduler and identify many performance and scalability bottlenecks. We find the event scheduler consumes around 40% of the cycles on each participating core for event scheduling. Additionally, we find that DSW (Distributed Software Scheduler) cannot saturate all the workers with traffic because a single NIC (Network Interface Card) queue is polled for packets in our test setup. Then we propose Diffuser, an event scheduler for DPDK that combines the functional properties of both the flow and packet-level schedulers. The diffuser aims to achieve optimal load balance while minimizing out-of-order packet transmission. Diffuser uses stochastic flow assignments along with a load imbalance feedback mechanism to adaptively control the rate of flow migrations to optimize the scheduler’s load distribution. Diffuser reduces packet reordering by at least 65% with ten flows of 100 bytes at 25 MPPS (Million Packet Per Second) and at least 50% with one flow. While Diffuser improves the reordering performance, it slightly reduces throughput and increases latency due to flow migrations and reduced cache locality / Efterfrågan på höghastighets-nätverksapplikationer har gjort nätverkspro-cessorer (NP) och centrala beräkningsenheter (CPU:er) alltmer parallella, komplexa och innehållande många processorkärnor. Denna parallellitet kan endast utnyttjas fullt ut av den underliggande paketschemaläggaren genom att effektivt utnyttja alla tillgängliga kärnor. Vanligtvis har paketschemaläggaren skickat paket till olika kärnor baserat på flödesgranularitet, vilket medför trafik-lokalitet. En bra belastningsbalans mellan processorerna förbättrar applikationens genomströmning och minskar förlorade paket. Därför skickar schemaläggare på paketnivå istället flöden till kärnan med en paketgranularitet för att förbättra lastbalansen. Schemaläggning på paketnivå kombinerat med avancerad parallellism innebär dock att de behandlade paketen avgår i oordning. Att samtidigt optimera både lastbalans och paketordning är en utmaning. I detta examensprojekt utvärderar vi DPDKs (Dataplane Development Kit) händelseschemaläggare och hittar många flaskhalsar i prestanda och skalbarhet. Vi finner att händelseschemaläggaren konsume-rar cirka 40 % av cyklerna på varje kärna.Dessutom finner vi att DSW (Schemaläggare för distribuerad programvara) inte kan mätta alla arbetande kärnor med trafik eftersom en enda nätverkskorts-kö används i vår testmiljö. Vi introducerar också Diffuser, en händelse-schemaläggare för DPDK som kombinerar egenskaperna hos både flödes-och paketnivåschemaläggare. Diffuser ämnar att uppnå optimal lastbalans samtidigt som den minimerar paketöverföring i oordning. Den använder stokastiska flödestilldelningar tillsammans med en återkopplingsmekanism för lastobalans för att adaptivt kontrollera flödesmigreringar för att optimera lastfördelningen. Diffuser minskar omordning av paket med minst 65 % med tio flöden på 100 byte vid 25 MPPS (Miljoner paket per sekund) och minst 50 % med endast ett flöde. Även om Diffuser förbättrar omordningsprestandan, minskar den genomströmningen något och ökar latensen på grund av flödesmigreringar och minskad cache-lokalitet. Packet scheduling Scheduling Out of order Data plane development kit Parallel processing Network processor Paketschemaläggning Schemaläggning oordning Dataplansutvecklingskit Parallell bearbetning Nätverksprocessor Computer and Information Sciences Data- och informationsvetenskap
9	Attack Modeling and Risk Assessments in Software Deﬁned networking (SDN) Frankeline, Tanyi January 2019 (has links) Software Defined Networking (SDN) is a technology which provides a network architecture with three distinct layers that is, the application layer which is made up of SDN applications, the control layer which is made up of the controller and the data plane layer which is made up of switches. However, the exits different types of SDN architectures some of which are interconnected with the physical network. At the core of SDN, the control plane is physically and logically separated from the data plane. The controller is connected to the application layer through an interface known as the northbound interface and to the data plane through another interface known as the southbound interface. The centralized control plane uses APIs to communicate through the northbound and southbound interface with the application layer and the data plane layer respectively. By default, these APIs such as Restful and OpenFlow APIs do not implement security mechanisms like data encryption and authentication thus, this introduces new network security threats to the SDN architecture. This report presents a technique known as threat modeling in SDN. To achieve this technique, attack scenarios are created based on the OpenFlow SDN vulnerabilities. After which these vulnerabilities are defined as predicates or facts and rules, a framework known as multihost multistage vulnerability analysis (MulVAL) then takes these predicates and rules to produce a threat model known as attack graph. The attack graph is further used to performed quantitative risk analysis using a metric to depict the risks associated to the OpenFlow SDN model SDN Application layer Northbound Interface Controller Southbound Interface data plane OpenFlow Threat Model MulVAL Attack Graph Attack Trees Risk Analysis Övrig annan teknik
10	Implementation and Evaluation of In- Band Network Telemetry in P4 Joshi, Mandar January 2021 (has links) As computer networks grow more complex as the number of connected devices increases, the monitoring and management of such networks also increases in complexity. Current network monitoring tools such as NetFlow, sFlow, ping, traceroute, and tcpdump prove to be both tedious and offer low accuracy when reporting the network state. With the recent emergence in programmable data plane switches, a new framework was created by the P4 Applications Working Group named In- Band Network Telemetry (INT). INT enables network programmers to obtain fine- grained telemetry information directly from the data plane without involvement from the control plane. This project implements INT in hardware Intel Tofino switches and provides a comparison between the three different INT modes of operations (INTXD, INTMX and INTMD) as defined in the framework specifications. The results show the effects of INT when implemented in the data plane, providing the ability to monitor the path a packet took through the network (switch ingress and egress ports), the hop latency, queue occupancy and queuing latency. However, INT can increase the overhead in both the packet and the bandwidth of the network, reducing application throughput. Measures to counteract this are discussed. An earlier implementation of a standalone telemetry report monitoring system was used and analysed, and it allowed for telemetry reports to be reported and visualised at a rate of up to 50 Kpps without any event detection. The results are applied to a Saab 9LV CMS network, and it is concluded that INT allows network operators to obtain a precise overview of the network state, allowing for easier network troubleshooting. / När datornätverk växer sig i komplexitet när antalet anslutna enheter ökar, metoder för övervakningen och hanteringen av sådana nätverk ökar också i komplexitet. Nuvarande nätverksövervakningsverktyg som NetFlow, sFlow, ping, traceroute och tcpdump visar sig vara både besvärliga och ger låg noggrannhet när man rapporterar nätverkstillståndet. Med den framväxten av programmerbara dataplan och programmerbara switchar skapades ett nytt ramverk av P4 Applications Working Group som heter INT. INT gör det möjligt för nätverksprogrammerare att erhålla finkornig telemetriinformation direkt från dataplanet utan inblandning från kontrollplanet. Detta projekt implementerar INT i Intel Tofino- switchar och ger en jämförelse mellan de tre olika INT- driftsätten (INTXD, INTMX och INTMD) enligt definitionen i specifikationerna. Resultaten visar effekterna av INT när det implementeras i dataplanet, inklusive möjligheten att övervaka vägen som ett paket tog genom nätverket (både ingångs- och utgångsportar på switcharna), hop- latens, köbeläggning och kö- latens. Dock kan INT öka overhead i både paketet och bandbredden i nätverket, vilket minskar applikationsgenomströmningen. Åtgärder för att motverka detta diskuteras. En tidigare implementering av ett fristående övervakningssystem för telemetrirapporter användes och analyserades, och det var möjligt att rapportera och visualisera telemetirapporter med en hastighet på upp till 50 Kpps utan någon händelsedetektering. Resultaten tillämpas på ett Saab 9LV CMS- nätverk och man drar slutsatsen att INT tillåter nätoperatörer att få en noggrann översikt över nätverkstillståndet, vilket möjliggör enklare nätverksfelsökning. In- Band Network Telemetry P4 Programmable Data Plane Software- Defined Networking Network Monitoring/Management Intel Tofino Nätverkstelemetri P4 Programmerbar Dataplan Mjukvarudefinierade Nätverk Nätverksövervakning/Hantering Intel Tofino Computer and Information Sciences Data- och informationsvetenskap

Search results