Monitoramento de desempenho com middleboxes em redes definidas por software

Gondim, Ethel Barreto

07 August 2015

Dissertação (mestrado)—Universidade de Brasília, Instituto de Ciências Exatas, Departamento de Ciência Da Computação, 2015. / O gerenciamento de desempenho de aplicações é frequentemente dificultado pela presença de middleboxes, por sua variedade e capacidade de alterar o tráfego que os atravessa. Com o advento das Redes Definidas por Software (do Inglês, Software-Defined Networking, SDN), surgem novas possibilidades para o gerenciamento de desempenho a partir da programabilidade dos dispositivos e do controle centralizado do tráfego. Este trabalho propõe uma arquitetura que objetiva mitigar os desafios impostos pelos middleboxes ao monitoramento de desempenho em SDN. Em particular, é apresentado e validado um protótipo que identifica o tempo de resposta, a disponibilidade e informações de conexões de aplicações na presença de quatro middleboxes: um balanceador de carga, um firewall, um sistema de prevenção de intrusões (do Inglês, Intrusion Prevention System, IPS) e um sistema de tradução de endereços de rede (do Inglês, Network Address Translation, NAT). Para os três primeiros middleboxes, foram desenvolvidas Interfaces de Programação de Aplicações (do Inglês, Application Programming Interfaces, APIs) específicas. / Application Performance management is frequently hampered by the presence of middleboxes, because of their variety and capacity of modifying the traffic that traverses them. With the advent of Software-Defined Networking (SDN), new possibilities for performance management arise from the programmability of devices and the centralized control of traffic. This work proposes an architecture that aims at mitigating the challenges posed by middleboxes in performance monitoring in SDN. In particular, it is presented and validated a prototype that identifies the response time, the availability and connection information of applications in the presence of four middleboxes: a load balancer, a firewall, an Intrusion Prevention System (IPS) and a Network Address Translation (NAT) system. For the first three middleboxes, specific Application Programming Interfaces (APIs) were developed.

Gerenciamento de rede

Gerenciamento de desempenho

Redes Definidas por Software (SDN)

Middlebox

Enhancing network robustness using software-defined networking

Li, Xin

January 1900

Doctor of Philosophy / Department of Electrical and Computer Engineering / Don M. Gruenbacher / Caterina M. Scoglio / As today's networks are no longer individual networks, networks are less robust towards failures and attacks. For example, computer networks and power networks are interdependent. Computer networks provide smart control for power networks, while power networks provide power supply. Localized network failures and attacks are amplified and exacerbated back and forth between two networks due to their interdependencies. This dissertation focuses on finding solutions to enhance network robustness. Software-defined networking provides a programmable architecture, which can dynamically adapt to any changes and can reduce the complexities of network traffic management. This architecture brings opportunities to enhance network robustness, for example, adapting to network changes, routing traffic bypassing malfunction devices, dropping malicious flows, etc. However, as SDN is rapidly proceeding from vision to reality, the SDN architecture itself might be exposed to some robustness threats. Especially, the SDN control plane is tremendously attractive to attackers, since it is the "brain" of entire networks. Thus, researching on network robustness helps protect network from a destructive disaster. In this dissertation, we first build a novel, realistic interdependent network framework to model cyber-physical networks. We allocate dependency links under a limited budget and evaluate network robustness. We further revise a network flow algorithm and find solutions to obtain a basic robust network structure. Extensive simulations on random networks and real networks show that our deployment method produces topologies that are more robust than the ones obtained by other deployment techniques. Second, we tackle middlebox chain problems using SDN. In computer networks, applications require traffic to sequence through multiple types of middleboxes to accomplish network functionality. Middlebox policies, numerous applications' requirements, and resource allocations complicate network management. Furthermore, middlebox failures can affect network robustness. We formulate a mixed-integer linear programming problem to achieve a network load-balancing objective in the context of middlebox policy chain routing. Our global routing approach manages network resources efficiently by simplifying candidate-path selections, balancing the entire network and using the simulated annealing algorithm. Moreover, in case of middlebox failures, we design a fast rerouting mechanism by exploiting the remaining link and middlebox resources locally. We implement proposed routing approaches on a Mininet testbed and evaluate experiments' scalability, assessing the effectiveness of the approaches. Third, we build an adversary model to describe in detail how to launch distributed denial of service (DDoS) attacks to overwhelm the SDN controller. Then we discuss possible defense mechanisms to protect the controller from DDoS attacks. We implement a successful DDoS attack and our defense mechanism on the Mininet testbed to demonstrate its feasibility in the real world. In summary, we vertically dive into enhancing network robustness by constructing a topological framework, making routing decisions, and protecting the SDN controller.

Software-defined networking

Network robustness

Middlebox policy

Interdependent network

Security