Measuring And Modeling Of Open vSwitch Performance : Implementation in Docker

Harshini, Nekkanti

January 2016

Network virtualization has become an important aspect of the Telecom industry. The need forefficient, scalable and reliable virtualized network functions is paramount to modern networking.Open vSwitch is such virtual switch that attempts to extend the usage of virtual switches to industrygrade performance levels on heterogeneous platforms.The aim of the thesis is to give an insight into the working of Open vSwitch. To evaluate theperformance of Open vSwitch in various virtualization scenarios such as KVM (second companionthesis)[1] and Docker. To investigate different scheduling techniques offered by the Open vSwitchsoftware and supported by the Linux kernel such as FIFO, SFQ, CODEL, FQCODEL, HTB andHFSC. To differentiate the performance of Open vSwitch in these scenarios and scheduling capacitiesand determine the best scenario for optimum performance.The methodology of the thesis involved a physical model of the system used for real-timeexperimentation as well as quantitative analysis. Quantitative analysis of obtained results paved theway for unbiased conclusions. Experimental analysis was required to measure metrics such asthroughput, latency and jitter in order to grade the performance of Open vSwitch in the particularvirtualization scenario.The results of the thesis must be considered in context with a second companion thesis[1]. Both thethesis aim at measuring the performance of Open v-Switch but the virtualization scenarios (Dockerand KVM) which are chosen are different, However, this thesis outline the performance of Open vSwitch and linux bridge in docker scenario. Various scheduling techniques were measured fornetwork performance metrics across both Docker and KVM (second companion thesis) and it wasobserved that Docker performed better in terms of throughput, latency and jitter. In Docker scenarioamongst the scheduling algorithms measured, it has almost same throughput in all schedulingalgorithms and latency shows slight variation and FIFO has least latency, as it is a simplest algorithmand consists of default qdisk. Finally jitter also shows variation on all scheduling algorithms.The conclusion of the thesis is that the virtualization layer on which Open vSwitch operates is one ofthe main factors in determining the switching performance. The KVM scenario and Docker scenarioeach have different virtualization techniques that incur different overheads that in turn lead to differentmeasurements. This difference occurs in different packet scheduling techniques. Docker performsbetter than KVM for both bridges. In the Docker scenario Linux bridge performs better than that ofOpen vSwitch, throughput is almost constant and FIFO has a least latency amongst all schedulingalgorithms and jitter shows more variation in all scheduling algorithms.

Docker

KVM

Open vSwitch

Scheduling

Measuring and Modeling of Open vSwitch Performance : Implementation in KVM environment

Pothuraju, Rohit

January 2016

Network virtualization has become an important aspect of the Telecom industry. The need for efficient, scalable and reliable virtualized network functions is paramount to modern networking. Open vSwitch is a virtual switch that attempts to extend the usage of virtual switches to industry grade performance levels on heterogeneous platforms.The aim of the thesis is to give an insight into the working of Open vSwitch. To evaluate the performance of Open vSwitch in various virtualization scenarios such as KVM and Docker (from second companion thesis)[1]. To investigate different scheduling techniques offered by the Open vSwitch software and supported by the Linux kernel such as FIFO, SFQ, CODEL, FQCODEL, HTB and HFSC. To differentiate the performance of Open vSwitch in these scenarios and scheduling capacities and determine the best scenario for optimum performance.The methodology of the thesis involved a physical model of the system used for real-time experimentation as well as quantitative analysis. Quantitative analysis of obtained results paved the way for unbiased conclusions. Experimental analysis was required to measure metrics such as throughput, latency and jitter in order to grade the performance of Open vSwitch in the particular virtualization scenario.The result of this thesis must be considered in context with a second companion thesis[1]. Both the theses aim at measuring and modeling performance of Open vSwitch in NFV. However, the results of this thesis outline the performance of Open vSwitch and Linux bridge in KVM virtualization scenario. Various scheduling techniques were measured for network performance metrics and it was observed that Docker performed better in terms of throughput, latency and jitter. In the KVM scenario, from the throughput test it was observed that all algorithms perform similarly in terms of throughput, for both Open vSwitch and Linux bridges. In the round trip latency tests, it was seen that FIFO has the least round trip latency, CODEL and FQCODEL had the highest latencies. HTB and HFSC perform similarly in the latency test. In the jitter tests, it was seen that HTB and HFSC had highest average jitter measurements in UDP Stream test. CODEL and FQCODEL had the least jitter results for both Open vSwitch and Linux bridges.The conclusion of the thesis is that the virtualization layer on which Open vSwitch operates is one of the main factors in determining the switching performance. Docker performs better than KVM for both bridges. In the KVM scenario, irrespective of the scheduling algorithm considered, Open vSwitch performed better than Linux bridge. HTB had highest throughput and FIFO had least round trip latency. CODEL and FQCODEL are efficient scheduling algorithms with low jitter measurements.

Docker

KVM

Open vSwitch

Scheduling

Performance evaluation of Linux Bridge and OVS in Xen

Singh, Jaswinder

January 2015

Virtualization is the key technology which has provided smarter and easier ways for effectively utilizing resources provided by the hypervisor. Virtualization allows multiple operative systems (OS) to run on a single hardware. The resources from a hardware are allocated to virtual machines (VM) by hypervisor. It is important to know how the performance of virtual switches used in hypervisor for network communication affect the network traffic.   Performance of Linux Bridge (LB) and Open vSwitch (OVS) is investigated in this study. The method that has been used in this research is experimentation. Two different scenarios are used to benchmark the performance of LB and OVS in virtual and non-virtual environment. Performance metrics bitrate is used to benchmark the performance LB and OVS. The results received from the experimental runs contains the ingress bitrate and egress bitrate of LB and OVS in virtual and non-virtual environment. The results also contain the ingress and egress bitrate values from scenarios with different memory and CPU cores in virtual environment. Results achieved in this thesis report are from multiple experiment configurations. From results it can concluded that LB and OVS have almost same performance in non-virtual environment. There are small differences in ingress and egress of both virtual switches.

Bitrate

Linux Bridge

Open vSwitch

Xen

Virtualization

Trusted Execution Environments for Open vSwitch : A security enabler for the 5G mobile network

Elbashir, Khalid

January 2017

The advent of virtualization introduced the need for virtual switches to interconnect virtual machines deployed in a cloud infrastructure. With Software Defined Networking (SDN), a central controller can configure these virtual switches. Virtual switches execute on commodity operating systems. Open vSwitch is an open source project that is widely used in production cloud environments. If an adversary gains access with full privileges to the operating system hosting the virtual switch, then Open vSwitch becomes vulnerable to a variety of different attacks that could compromise the whole network. The purpose of this thesis project is to improve the security of Open vSwitch implementations in order to ensure that only authenticated switches and controllers can communicate with each other, while maintaining code integrity and confidentiality of keys and certificates. The thesis project proposes a design and shows an implementation that leverages Intel® Safe Guard Extensions (SGX) technology. A new library, TLSonSGX, is implemented. This library replaces the use of the OpenSSL library in Open vSwitch. In addition to implementing standard Transport Level Security (TLS) connectivity, TLSonSGX confines TLS communication in the protected memory enclave and hence protects TLS sensitive components necessary to provide confidentiality and integrity, such as private keys and negotiated symmetric keys. Moreover, TLSonSGX introduces new, secure, and automatic means to generate keys and obtain signed certificates from a central Certificate Authority that validates using Linux Integrity Measurements Architecture (IMA) that the Open vSwitch binaries have not been tampered with before issuing a signed certificate. The generated keys and obtained certificates are stored in the memory enclave and hence never exposed as plaintext outside the enclave. This new mechanism is a replacement for the existing manual and unsecure procedures (as described in Open vSwitch project). A security analysis of the system is provided as well as an examination of performance impact of the use of a trusted execution environment. Results show that generating keys and certificates using TLSonSGX takes less than 0.5 seconds while adding 30% latency overhead for the first packet in a flow compared to using OpenSSL when both are executed on Intel® CoreTM i7-6600U processor clocked at 2.6 GHz. These results show that TLSonSGX can enhance Open vSwitch security and reduce its TLS configuration overhead. / Framkomsten av virtualisering införde behovet av virtuella växlar för att koppla tillsammans virtuella maskiner placerade i molninfrastruktur. Med mjukvarubaserad nätverksteknik (SDN), kan ett centralt styrenhet konfigurera dessa virtuella växlar. Virtuella växlar kör på standardoperativsystem. Open vSwitch är ett open-source projekt som ofta används i molntjänster. Om en motståndare får tillgång med fullständiga privilegier till operativsystemet där Open vSwitch körs, blir Open vSwitch utsatt för olika attacker som kan kompromettera hela nätverket.  Syftet med detta examensarbete är att förbättra säkerheten hos Open vSwitch för att garantera att endast autentiserade växlar och styrenheter kan kommunicera med varandra, samtidigt som att upprätthålla kod integritet och konfidentialitet av nycklar och certifikat. Detta examensarbete föreslår en design och visar en implementation som andvändar Intel®s Safe Guard Extensions (SGX) teknologi. Ett nytt bibliotek, TLSonSGX, är implementerat. Detta bibliotek ersätter biblioteket OpenSSL i Open vSwitch. Utöver att det implementerar ett standard “Transport Layer Security” (TLS) anslutning, TLSonSGX begränsar TLS kommunikation i den skyddade minnes enklaven och skyddar därför TLS känsliga komponenter som är nödvändiga för att ge sekretess och integritet, såsom privata nycklar och förhandlade symmetriska nycklar. Dessutom introducerar TLSonSGX nya, säkra och automatiska medel för att generera nycklar och få signerade certifikat från en central certifikatmyndighet som validerar, med hjälp av Linux Integrity Measurements Architecture (IMA), att Open vSwitch-binärerna inte har manipulerats innan de utfärdade ett signerat certifikat. De genererade nycklarna och erhållna certifikat lagras i minnes enklaven och är därför aldrig utsatta utanför enklaven. Denna nya mekanism ersätter de manuella och osäkra procedurerna som beskrivs i Open vSwitch projektet. En säkerhetsanalys av systemet ges såväl som en granskning av prestandaffekten av användningen av en pålitlig exekveringsmiljö. Resultaten visar att använda TLSonSGX för att generera nycklar och certifikat tar mindre än 0,5 sekunder medan det lägger 30% latens overhead för det första paketet i ett flöde jämfört med att använda OpenSSL när båda exekveras på Intel® Core TM processor i7-6600U klockad vid 2,6 GHz. Dessa resultat visar att TLSonSGX kan förbättra Open vSwitch säkerhet och minska TLS konfigurationskostnaden.

Open vSwitch

SDN

Trusted Execution Environment

SGX

Cloud Computing

Open vSwitch

SDN

mjukvarudefinierade nätverk

SGX

molntjänster

Communication Systems

Kommunikationssystem

Mitigation of inter-domain Policy Violations at Internet eXchange Points

Raheem, Muhammad

January 2019

Economic incentives and the need to efficiently deliver Internet have led to the growth of Internet eXchange Points (IXPs), i.e., the interconnection networks through which a multitude of possibly competing network entities connect to each other with the goal of exchanging traffic. At IXPs, the exchange of traffic between two or more member networks is dictated by the Border gateway Protocol (BGP), i.e., the inter-domain routing protocol used by network operators to exchange reachability information about IP prefix destinations. There is a common “honest-closed-world” assumption at IXPs that two IXP members exchange data traffic only if they have exchanged the corresponding reachability information via BGP. This state of affairs severely hinders security as any IXP member can send traffic to another member without having received a route from that member. Filtering traffic according to BGP routes would solve the problem. However, IXP members can install filters but the number of filtering rules required at a large IXP can easily exceed the capacity of the network devices. In addition, an IXP cannot filter this type of traffic as the exchanged BGP routes between two members are not visible to the IXP itself. In this thesis, we evaluated the design space between reactive and proactive approaches for guaranteeing consistency between the BGP control-plane and the data-plane. In a reactive approach, an IXP member operator monitors, collects, and analyzes the incoming traffic to detect if any illegitimate traffic exists whereas, in a proactive approach, an operator configures its network devices to filter any illegitimate traffic without the need to perform any monitoring. We focused on proactive approaches because of the increased security of the IXP network and its inherent simplified network management. We designed and implemented a solution to this problem by leveraging the emerging Software Defined Networking (SDN) paradigm, which enables the programmability of the forwarding tables by separating the control- and data-planes. Our approach only installs rules in the data-plane that allow legitimate traffic to be forwarded, dropping anything else. As hardware switches have high performance but low memory space, we decided to make also use of software switches.  A “heavy-hitter” module detects the forwarding rules carrying most of the traffic and installs them into the hardware switch. The remaining forwarding rules are installed into the software switches. We evaluated the prototype in an emulated testbed using the Mininet virtual network environment. We analyzed the security of our system with the help of static verification tests, which confirmed compliance with security policies. The results reveal that with even just 10% of the rules installed in the hardware switch, the hardware switch directly filterss 95% of the traffic volume with non-uniform Internet-like traffic distribution workloads. We also evaluated the latency and throughput overheads of the system, though the results are limited by the accuracy of the emulated environment. The scalability experiments show that, with 10K forwarding rules, the system takes around 40 seconds to install and update the data plane. This is due to inherent slowness of the emulated environment and limitations of the POX controller, which is coded in Python. / Ekonomiska incitament och behovet av att effektivt leverera Internet har lett till tillväxten av Internet eXchange Points (IXP), dvs de sammankopplingsnät genom vilka en mängd möjligen konkurrerande nätverksenheter förbinder varandra med målet att utbyta trafik. Vid IXPs dikteras utbytet av trafik mellan två eller flera medlemsnät av gränsgatewayprotokollet (BGP), dvs det inter-domänroutingprotokollet som används av nätoperatörer för att utbyta tillgänglighetsinformation om IP-prefixdestinationer. Det finns ett gemensamt antagande om "honest-closed-world" vid IXP, att två IXP-medlemmar endast utbyter datatrafik om de har bytt ut motsvarande tillgänglighetsinformation via BGP. Detta tillstånd försvårar allvarligt säkerheten eftersom varje IXP-medlem kan skicka trafik till en annan medlem utan att ha mottagit en rutt från den medlemmen. Filtrering av trafik enligt BGP-vägar skulle lösa problemet. IXPmedlemmar kan dock installera filter men antalet filtreringsregler som krävs vid en stor IXP kan enkelt överskrida nätverksenheternas kapacitet. Dessutom kan en IXP inte filtrera denna typ av trafik eftersom de utbytta BGP-vägarna mellan två medlemmar inte är synliga för IXP-enheten själv. I denna avhandling utvärderade vi utrymmet mellan reaktiva och proaktiva metoder för att garantera överensstämmelse mellan BGP-kontrollplanet och dataplanet. I ett reaktivt tillvägagångssätt övervakar, samlar och analyserar en inkommande trafik en IXP-medlem för att upptäcka om någon obehörig trafik finns, medan en operatör konfigurerar sina nätverksenheter för att filtrera någon obehörig trafik utan att behöva övervaka. Vi fokuserade på proaktiva tillvägagångssätt på grund av den ökade säkerheten för IXP-nätverket och dess inneboende förenklad nätverkshantering. Vi konstruerade och genomförde en lösning på detta problem genom att utnyttja det nya SDN-paradigmet (Software Defined Networking), vilket möjliggör programmerbarheten hos vidarebefordringsborden genom att separera kontroll- och dataplanerna. Vårt tillvägagångssätt installerar bara regler i dataplanet som tillåter legitim trafik att vidarebefordras, släppa allt annat. Eftersom hårdvaruomkopplare har hög prestanda men lågt minne, bestämde vi oss för att även använda programvaruomkopplare. En "heavy-hitter" -modul detekterar vidarebefordringsreglerna som transporterar större delen av trafiken och installerar dem i hårdvaruomkopplaren. De återstående spolningsreglerna installeras i programvaruomkopplarna. Vi utvärderade prototypen i en emulerad testbädd med hjälp av virtuella nätverksmiljö Mininet. Vi analyserade säkerheten för vårt system med hjälp av statiska verifieringsprov, vilket bekräftade överensstämmelse med säkerhetspolicyerna. Resultaten visar att med bara 10% av de regler som installerats i hårdvaruomkopplaren filtrerar hårdvaruomkopplaren direkt 95% av trafikvolymen med ojämn Internetliknande trafikfördelningsarbete. Vi utvärderade också latens- och genomströmningsomkostnaderna för systemet, även om resultaten begränsas av noggrannheten hos den emulerade miljön. Skalbarhetsexperimenten visar att med 10K-vidarebefordringsregler tar systemet cirka 40 sekunder för att installera och uppdatera dataplanet. Detta beror på inneboende långsamma emulerade miljöer och begränsningar av POX-kontrollern, som kodas i Python.

IXP

Computer Networks

Distributed Systems

SDN

OpenFlow

BGP

Open vSwitch

Security

Firewall

Monitoring

IXP

Datornätverk

Distribuerade System

SDN

OpenFlow

BGP

Open vSwitch

Säkerhet

Brandvägg

Övervakning

Communication Systems

Kommunikationssystem

Software Defined Networking and Tunneling for Mobile Networks

Liu, Binghan

January 2013

With the deployment of Long Term Evolution (LTE) networks, mobile networks will become an important infrastructure component in the cloud ecosystem.  However, in the cloud computing era, traditional routing and switching platforms do not meet the requirements of this new trend, especially in a mobile network environment. With the recent advances in software switches and efficient virtualization using commodity servers, Software Defined Networking (SDN) has emerged as a powerful technology to meet the new requirements for supporting a new generation of cloud service. This thesis describers an experimental investigation of cloud computing, SDN, and a mobile network’s packet core. The design of a mobile network exploiting the evolution of SDN is also presented. The actual implementation consists of a GTP enabled Open vSwitch together with the transparent mode of mobile network SDN evolution. Open vSwitch is a SDN product designed for computer networks. The implementation extends Open vSwitch with an implementation of the GTP protocol. This extension enables Open vSwitch to be an excellent SDN component for mobile networks. In transparent mode, a cloud data center is deployed without making any modification to the existing mobile networks.  In the practical evaluation of the GTP-U tunnel protocol implementation, the measured metrics are UDP and TCP throughput, end-to-end latency and jitter.  Two experiments have been conducted and described in the evaluation chapter. Cloud computing has become one of the hottest Internet topics. It is attractive for the mobile network to adopt cloud computing technology in order to enjoy the benefits of cloud computing. For example, to reduce network construction cost, make the network deployment more flexible, etc. This thesis presents an potential direction for mobile network cloud computing. Since this thesis relies on open source projects, readers may use the results to explore a feasible direction for mobile network cloud computing evolution. / Med utbyggnaden av långa (LTE) Term Evolution nätverk, mobila nätverk kommer blivit en viktig infrastruktur komponent i molnet ekosystemet. Men i cloud computing eran, uppfyller traditionella routing och switching plattformar inte kraven i denna nya trend, särskilt i ett mobilnät miljö. Med de senaste framstegen i programvara växlar och effektiv virtualisering påråvaror servrar, programvarustyrd Nätverk (SDN) har utvecklats till en kraftfull teknik för att möta de nya kraven för att stödja en ny generation av molntjänst. Denna avhandling beskrivarna en försöksverksamhet inriktad undersökning av cloud computing, SDN och ett mobilnät är Packet Core. Utformningen av ett mobilnät utnyttja SDN utveckling presenteras också. Det faktiska genomförandet består av en GTP aktiverad Open Vswitch tillsammans med transparent läge av mobilnätet SDN evolution. Öppna Vswitch är en SDN-produkt avsedd för datornätverk. Genomförandet utökar Open Vswitch med en implementering av GTP-protokollet. Denna uppgradering gör Open Vswitch vara som en utmärkt SDN komponent för mobila nätverk. I transparent läge är ett moln datacenter utplacerade utan göra eventuella ändringar till befintliga mobilnät. I den praktiska utvärderingen av GTP-U tunnel protokollimplementering, de uppmätta mått är UDP och TCP genomströmning, end-to-end-latens, jitter och paketförluster.  Tvåexperiment har utförts i utvärderingen kapitlet. Cloud computing har blivit en av de hetaste av Internet. Således kan framtiden för det mobila nätet ocksåanta teknik cloud computing och dra nytta av cloud computing. Till exempel minska kostnaderna nätbyggnad, gör nätverket distribuera mer flexibla, etc. .. Denna avhandling presenterar en möjlig inriktning för mobilnät cloud computing. Eftersom denna avhandling bygger påopen source-projekt, läsarna använda resultatet av den att utforska möjliga riktning mobilnät cloud computing utveckling.

Software defined networking

Cloud computing

GTP-U tunneling

Open vSwitch

Software Defined nätverk

Cloud computing

GTP-U tunnel

Open Vswitch

Communication Systems

Kommunikationssystem

SDN OpenFlow Switch上效能評測 / Performance Evaluation of SDN OpenFlow Switch

蔡明志, Tsai, Ming Chih

Unknown Date

SDN軟體定義網路，是一種新的以軟體為基礎的網路架構及技術。最大的特點為將傳統二、三層網路設備的控制功能與設備本身數據轉發功能進行分離。由於分離後的控制功能集中統一管理，且其具有軟體設計的靈活性，因此，網路管理人員對底層設備的資源控制變得更加容易，進而大大提升網路自動化管理能力，並有效解決目前網路系統所面臨的如網路拓樸的靈活性差，規模擴充受限等問題。 近年來隨著寬頻上網，物聯網，雲端計算，移動裝置等新技術及新業務的快速發展，在愈來愈多各種型態連網裝置快速增加的情況下，同時也使人們對IP位址的需求日增。然而目前IPv4卻無法針對此需求，提供一個相對大量的位址，也因此對於IPv4到IPv6網路的升級有其迫切性與必要性。IPv4過渡到IPv6網路目前提出的方法有三種：Dual Stack、Tunneling以及Translation。Tunneling及Translation皆有其效能上的瓶頸，為過渡期間的應用技術。目前主要推動的技術為Dual Stack，在Dual Stack模式下，可以由IPv4網路逐步演進成IPv4與IPv6共存互通，最後再形成以IPv6為主的網路。現階段愈來愈多的IPv6設備與節點，為順利的連接舊的IPv4與新的IPv6網路，藉由具有Dual Stack能力的SDN交換機網路設備，將是個有效的解決方案，也將使得IPv6網路的管理及升級更具有彈性。SDN、IPv6為現今幾個熱門的研究議題，看似不同領域的電腦相關技術，然而若使上述幾種技術相互連結使用，將使得未來之網路環境更具備可擴充性、可管理性、靈活性與敏捷性。 為了解SDN交換機上的效能，本論文提出一個測試平台架構。利用Linux系統做為待測網路設備，並在待測網路設備上模擬Bridge、Router、Open vSwitch SDN交換機等不同環境。測試端為Linux系統，並使用Iperf測試軟體，透過對待測網路設備不同模擬環境下發送不同大小的封包做效能測試。實驗中同時也量測IPv4網路協定，以作為和傳統網路效能的比較。另外，也量測了SDN交換機同時在IPv4及IPv6雙協定的負載下，和單獨的IPv4協定或IPv6協定做效能上的差異比較。最後，也模擬同時在多主機下對待測網路設備進行封包的發送與接收，以測試SDN交換機在多主機下的負載狀況。 經由測量的數據分析，IPv6在Open vSwitch SDN交換機上運行效能幾乎等同於傳統的IPv4，也驗證IPv6在交換機上的可行性。此外，當SDN交換機同時運行在IPv4和IPv6雙協定環境下，在整體效能的表現上和單獨運行單協定相比幾近相同，也證明SDN交換機同時運行在雙協定下的可行性。由多主機負載的實驗數據分析，在以UDP協定做資料傳送時，愈多的主機因為資源的競爭問題愈大外，間接也會造成愈多packet loss。並且對較大的封包，packet loss的問題也愈嚴重，但相對來看，在以TCP協定做資料傳送時，total throughput的瓶頸則決定於網路卡的效能，即效能愈好的網路卡，愈能提升多主機環境下的total throughput。 / Software Defined Network (SDN) is a new software-based network architecture and technique. The main characteristic is to separate the control functions and the data forwarding functions of the traditional layer 2 or layer 3 network devices. Since the separated control functions can be centralized management with software design flexibility, thus network managers can control the underlying resource device easier, which greatly enhances the ability to automate network management as well as effectively resolves the problems confronted by conventional network system, such as lack of network topology flexibility, limited network scalability. In recent decades, along with broadband Internet access, Internet of Things, cloud computing, the rapid development of new technologies and the rapid increase of network devices, it has increased the demand for IP address to a great extent. While IPv4 can not meet the current demand to offer a relatively large number of addresses and thus it is urgent and essential to upgrade IPv4 to IPv6 network. Transition from IPv4 to IPv6 network currently is proposed in these three ways which respectively named Dual Stack, Tunneling, and Translation. Tunneling and Translation have their performance bottlenecks and only Dual Stack mode can be gradually evolved from IPv4 to IPv4 and IPv6 coexistence network, eventually toward the IPv6-based network. There are increasing numbers of IPv6 devices and nodes with the aim to connect IPv4 network to IPv6 network, through SDN switch with Dual Stack network which would be an effective solution. It makes the IPv6 network management and maintenance more flexible. IPv6 and SDN are two hot researching issues currently. If they can be linked with each other, it will be more scalable and flexible for the network environment in the future. In order to understand the effectiveness of the SDN switch, this paper presents a test platform architecture. Using Linux systems as a Device under Testing, we simulate Bridge, Router, Open vSwitch SDN switch network equipment on it. Test end is Linux system, and Iperf serves as a test software. Through simulation of the Device under Testing in different scenarios, we have performed many tests on different sizes of packets. The experiment also measures IPv4 network protocol and compares with traditional network. In order to compare with the performance of separate IPv4 or IPv6 protocol, the loading of SDN switch running both of IPv4 and IPv6 dual protocol is measured. Finally, simulation on multi-host is tested under Device under Testing in sending and receiving packet which is to test SDN switch under a multi-host loading conditions. Through the analysis of the measured data, the performance of IPv6 running on the Open Switch SDN switch is equivalent to that of the traditional IPv4. It also proves the feasibility and efficiency of IPv6 on the switch. In addition, when SDN switch running in IPv4 and IPv6 Dual Stack mode simultaneously, the overall performance is almost exactly the same as single IPv4 or IPv6 protocol, which proves the feasibility of SDN switch in Dual Stack mode. Based on the analysis of multiple-host loading, UDP protocols were used during data transfer. Apart from multi-hosts with more competition for resourcing issue, a packet loss will be aroused indirectly. We observed that larger packets can cause more packet loss. However, with TCP protocols during data transfer, total throughput bottleneck is determined by the effectiveness of the network card. Therefore, the better the effectiveness of the network card is, the higher total throughput can be provided in multi-host environment.

軟體定義網路

SDN

OpenFlow

Open vSwitch

IPv6

NFV performance benchmarking with OVS and Linux containers

Rang, Tobias

January 2017

One recent innovation in the networking industry, is the concept of Network FunctionVirtualization (NFV). NFV is based on a networking paradigm in which network functions,which have typically been implemented in the form of dedicated hardware appliances in thepast, are implemented in software and deployed on commodity hardware using modernvirtualization techniques. While the most common approach is to place each virtual networkfunction in a virtual machine - using hardware-level virtualization – the growing influenceand popularity of Docker and other container-based solutions has naturally led to the idea ofcontainerized deployments. This is a promising concept, as containers (or operating systemlevel virtualization) can offer a flexible and lightweight alternative to hardware-levelvirtualization, with the ability to use the resources of the host directly. The main problem withthis concept, is the fact that the default behavior of Docker and similar technologies is to relyon the networking stack of the host, which typically isn’t performant enough to handle theperformance requirements associated with NFV. In this dissertation, an attempt is made toevaluate the feasibility of using userspace networking to accelerate the network performanceof Docker containers, bypassing the standard Linux networking stack by moving the packetprocessing into userspace.

nfv

containers

dpdk

userspace networking

ovs

open vswitch

benchmark

networking

cloudlab

Computer Sciences

Datavetenskap (datalogi)

Akcelerace OVS s využitím akcelerační karty s FPGA / OVS Acceleration Using FPGA Acceleration Card

Vido, Matej

January 2018

The performance of the virtual switch Open vSwitch (OVS) is insufficient to satisfy the current requirements for link bandwidth of the server connections. There is an effort to accelerate the OVS both in the software and in the hardware by offloading the datapath to the smart network interface cards. In this work the COMBO card for 100G Ethernet developed by CESNET is used to accelerate the OVS. The suggested solution utilizes the firmware for FPGA generated from the definition in the P4 language to classify the packets in the card and DPDK for the data transfers and offloading the classification rules into the card. Forwarding of one flow with the shortest frames from physical to physical interface using one CPU core reaches forwarding rate of 11.2 Mp/s (10 times more than the standard OVS) with classification in the card and 5.9 Mp/s without classification in the card.

Mitigation of inter-domain Policy Violations at Internet eXchange Points

Raheem, Muhammad

January 2019

Economic incentives and the need to efficiently deliver Internet have led to the growth of Internet eXchange Points (IXPs), i.e., the interconnection networks through which a multitude of possibly competing network entities connect to each other with the goal of exchanging traffic. At IXPs, the exchange of traffic between two or more member networks is dictated by the Border gateway Protocol (BGP), i.e., the inter-domain routing protocol used by network operators to exchange reachability information about IP prefix destinations. There is a common “honest-closed-world” assumption at IXPs that two IXP members exchange data traffic only if they have exchanged the corresponding reachability information via BGP. This state of affairs severely hinders security as any IXP member can send traffic to another member without having received a route from that member. Filtering traffic according to BGP routes would solve the problem. However, IXP members can install filters but the number of filtering rules required at a large IXP can easily exceed the capacity of the network devices. In addition, an IXP cannot filter this type of traffic as the exchanged BGP routes between two members are not visible to the IXP itself. In this thesis, we evaluated the design space between reactive and proactive approaches for guaranteeing consistency between the BGP control-plane and the data-plane. In a reactive approach, an IXP member operator monitors, collects, and analyzes the incoming traffic to detect if any illegitimate traffic exists whereas, in a proactive approach, an operator configures its network devices to filter any illegitimate traffic without the need to perform any monitoring. We focused on proactive approaches because of the increased security of the IXP network and its inherent simplified network management. We designed and implemented a solution to this problem by leveraging the emerging Software Defined Networking (SDN) paradigm, which enables the programmability of the forwarding tables by separating the controland dataplanes. Our approach only installs rules in the data-plane that allow legitimate traffic to be forwarded, dropping anything else. As hardware switches have high performance but low memory space, we decided to make also use of software switches. A “heavy-hitter” module detects the forwarding rules carrying most of the traffic and installs them into the hardware switch. The remaining forwarding rules are installed into the software switches.We evaluated the prototype in an emulated testbed using the Mininet virtualnetwork environment. We analyzed the security of our system with the help of static verification tests, which confirmed compliance with security policies. The results reveal that with even just 10% of the rules installed in the hardware switch, the hardware switch directly filter 95% of the traffic volume with nonuniform Internet-like traffic distribution workloads. We also evaluated the latency and throughput overheads of the system, though the results are limited by the accuracy of the emulated environment. The scalability experiments show that, with 10K forwarding rules, the system takes around 40 seconds to install and update the data plane. This is due to inherent slowness of emulated environment and limitations of the POX controller, which is coded in Python. / Ekonomiska incitament och behovet av att effektivt leverera Internet har lett till tillväxten av Internet eXchange Points (IXP), dvs de sammankopplingsnät genom vilka en mängd möjligen konkurrerande nätverksenheter förbinder varandra med målet att utbyta trafik. Vid IXPs dikteras utbytet av trafik mellan två eller flera medlemsnät av gränsgatewayprotokollet (BGP), dvs det inter-domänroutingprotokollet som används av nätoperatörer för att utbyta tillgänglighetsinformation om IP-prefixdestinationer. Det finns ett gemensamt antagande om "honest-closed-world" vid IXP, att två IXP-medlemmar endast utbyter datatrafik om de har bytt ut motsvarande tillgänglighetsinformation via BGP. Detta tillstånd försvårar allvarligt säkerheten eftersom varje IXP-medlem kan skicka trafik till en annan medlem utan att ha mottagit en rutt från den medlemmen. Filtrering av trafik enligt BGP-vägar skulle lösa problemet. IXPmedlemmar kan dock installera filter men antalet filtreringsregler som krävs vid en stor IXP kan enkelt överskrida nätverksenheternas kapacitet. Dessutom kan en IXP inte filtrera denna typ av trafik eftersom de utbytta BGP-vägarna mellan två medlemmar inte är synliga för IXP-enheten själv.I denna avhandling utvärderade vi utrymmet mellan reaktiva och proaktiva metoder för att garantera överensstämmelse mellan BGP-kontrollplanet och dataplanet. I ett reaktivt tillvägagångssätt övervakar, samlar och analyserar en inkommande trafik en IXP-medlem för att upptäcka om någon obehörig trafik finns, medan en operatör konfigurerar sina nätverksenheter för att filtrera någon obehörig trafik utan att behöva övervaka . Vi fokuserade på proaktiva tillvägagångssätt på grund av den ökade säkerheten för IXP-nätverket och dess inneboende förenklad nätverkshantering. Vi konstruerade och genomförde en lösning på detta problem genom att utnyttja det nya SDN-paradigmet (Software Defined Networking), vilket möjliggör programmerbarheten hos vidarebefordringsborden genom att separera kontrolloch dataplanerna. Vårt tillvägagångssätt installerar bara regler i dataplanet som tillåter legitim trafik att vidarebefordras, släppa allt annat. Eftersom hårdvaruomkopplare har hög prestanda men lågt minne, bestämde vi oss för att även använda programvaruomkopplare. En "heavy-hitter" -modul detekterar vidarebefordringsreglerna som transporterar större delen av trafiken och installerar dem i hårdvaruomkopplaren. De återstående spolningsreglerna installeras i programvaruomkopplarna.Vi utvärderade prototypen i en emulerad testbädd med hjälp av virtuella nätverksmiljö Mininet. Vi analyserade säkerheten för vårt system med hjälp av statiska verifieringsprov, vilket bekräftade överensstämmelse med säkerhetspolicyerna. Resultaten visar att med bara 10% av de regler som installerats i hårdvaruomkopplaren filtrerar hårdvaruomkopplaren direkt 95% av trafikvolymen med ojämn Internetliknande trafikfördelningsarbete. Vi utvärderade också latensoch genomströmningsomkostnaderna för systemet, även om resultaten begränsas av noggrannheten hos den emulerade miljön. Skalbarhetsexperimenten visar att med 10K-vidarebefordringsregler tar systemet cirka 40 sekunder för att installera och uppdatera dataplanet. Detta beror på inneboende långsamma emulerade miljöer och begränsningar av POX-kontrollern, som kodas i Python.

IXP

Computer Networks

Distributed Systems

SDN

OpenFlow

BGP

Open vSwitch

Security

Firewall

Monitoring

IXP

Datornätverk

Distribuerade System

SDN

OpenFlow

BGP

Open vSwitch

Säkerhet

Brandvägg

Övervakning

Computer and Information Sciences

Data- och informationsvetenskap