Performance Analysis on Dynamic VLAN an OpenFlow

Gurramkonda, Reddy Kamal Teja

January 2015

In the current innovative network, to cope with the increased require- ments of customers, there is a rapid increase in the development of dierent protocols and applications. With such increase in networking technology, the security constraints are becoming more and more severe, reducing the accessibility to the actual network for implementing new protocols. This scenario forced for an urgent need of a technology, which can help the re- searchers to implement their developed protocols in the network without inuencing the production trac. This need resulted in a concept called network isolation. This is achieved by VLAN or SDN technologies. In this study, we investigate the performance of VLAN and an API of SDN in the context of establishing dynamic link, in switching setup. For such a link creation, dynamic VLAN (dVLAN) is used in the former case and OpenFLow protocol is used in the later scenario. The main focus in this study is to compare the dynamic behavior of both the protocols in layer-2 context by measuring network level performance metrics of each protocol. Some of the features like, vendor independency and software independency is taken into account while measuring the performance metrics. In order to evaluate the performance, an experimental testbed is implemented. The network level performance metric called protocol setup time is measured. It is the time taken by each protocol to setup an active link between two end-hosts. A two-tire network architecture is implemented with the mentioned features. From the analytical and statistical results obtained, OpenFlow re- sulted in performing relatively better when compared to dynamic VLANs. By carefully examining the protocol setup time of OpenFlow against dVLAN, OpenFlow took less time when compared to dVLAN resulting in faster exe- cution in enabling connectivity. On the other hand, the analytical study on the two protocols reects the simplicity exhibited by dVLAN over Open- Flow.

Dynamic VLAN

Network Isolation

OpenFlow

SDN

Rede definida por software para a detecção de anomalias e contramedidas de segurança em smart grid / Software defined network for anomalies detection and security countermeasures in smart grid

Ferrari, Ricardo Cesar Câmara

01 March 2018

Submitted by RICARDO CESAR CAMARA FERRARI null (rccferrari@hotmail.com) on 2018-04-05T15:50:10Z No. of bitstreams: 1 TESEV59.pdf: 2999220 bytes, checksum: d4796fb104f36a34069600090d6741e9 (MD5) / Approved for entry into archive by Cristina Alexandra de Godoy null (cristina@adm.feis.unesp.br) on 2018-04-05T18:37:17Z (GMT) No. of bitstreams: 1 ferrari_rcc_dr_ilha.pdf: 2999220 bytes, checksum: d4796fb104f36a34069600090d6741e9 (MD5) / Made available in DSpace on 2018-04-05T18:37:17Z (GMT). No. of bitstreams: 1 ferrari_rcc_dr_ilha.pdf: 2999220 bytes, checksum: d4796fb104f36a34069600090d6741e9 (MD5) Previous issue date: 2018-03-01 / O trabalho propõe uma aplicação com o uso de desvio padrão para definir limites máximos e mínimos de pacotes e bytes para detecção de anomalias nos fluxos de comunicação entre mestre e escravos com o uso do protocolo DNP3 (Distributed Network Protocol v3.0) em uma Smart Grid, além de detecção e bloqueio de ataques originados de máquinas intrusas ou conhecidas. Atualmente, diversas pesquisas vêm sendo desenvolvidas sobre uso de sistemas Smart Grid, no entanto, sua implantação possui alguns fatores de risco. Esses fatores estão associados às redes de transmissão de dados, às tecnologias de aquisição e controle das informações, e às vulnerabilidades intrínsecas da união dessas tecnologias. A principal motivação dessa proposta origina-se da necessidade de se garantir segurança dos sistemas Smart Grid e o potencial apresentado pelas Redes Definidas por Software (Software Defined Networking – SDN) em analisar os fluxos de dados em um switch. Assim, a investigação dessas vulnerabilidades, bem como, a identificação de situações de ataques são relevantes a fim de propor soluções de defesa. Para isto, a tecnologia de SDN apresentou-se como uma solução viável e otimizada para a proteção de sistemas Smart Grid, permitindo que seja realizado um monitoramento dos fluxos entre mestre e escravos, e a coleta de informações para análise, abrindo oportunidades para aplicações de segurança em Smart Grid. Dessa forma, foram realizados três experimentos, o primeiro com o objetivo de mostrar a vulnerabilidade de uma Smart Grid, o segundo com o intuito de analisar uma aplicação SDN em uma Smart Grid e o terceiro com dois ataques DDoS (Distributed Denial of Service) em uma Smart Grid. O primeiro ataque a partir de máquinas intrusas e o segundo ataque, de escravas, permitindo analisar e monitorar o fluxo de dados e o bloqueio das portas em um Open vSwitch (OVS). Nesse contexto, um componente de um controlador SDN foi modificado para adicionar segurança e monitoramento da rede, tendo um comportamento satisfatório, identificando anomalias e conseguindo realizar bloqueios de portas das máquinas atacantes. / The work proposes an application with the use of standard deviation to define limits of maximum and minimum of packets and bytes for detection of anomalies in the communication flows between master and slave using the Distributed Network Protocol v3.0 (DNP3), besides the detection and blocking of attacks originated from intrusive or known machines. Currently several researches have been developed on the use of Smart Grid systems, however, its implementation has some risk factors. These factors are associated with data transmission networks, information acquisition and control technologies and intrinsic vulnerabilities of the union of these technologies. The main motivation of this proposal comes from the need to guarantee security of Smart Grid systems and the potential presented by Software Defined Networking (SDN). Thus, the investigation of these vulnerabilities, as well as, identification of situations of attacks are relevant in order to propose defense solutions. For this, the SDN technology has presented a viable and optimized solution for the protection of Smart Grid systems, allowing the monitoring of masterslave flows and the collection of information for analysis, opening opportunities for security applications in Smart Grid. In this way, three experiments were carried out, the first to show the vulnerability of an insecure Smart Grid, the second to analyze a SDN application in a Smart Grid and the third with two Distributed Denial of Service (DDoS) attack on a Smart Grid, the first from intrusive machines and the second from slaves, allowing to analyze and monitor the data flow and the lock of the doors in an Open vSwitch (OVS). In this context, a component of an SDN controller has been modified to add security and monitoring of the network, having a satisfactory behavior, identifying anomalies and being able to perform port blocking of the attacking machines.

SDN

Segurança

POX

DDoS

Smart Grid

Rede definida por software para a detecção de anomalias e contramedidas de segurança em smart grid /

Ferrari, Ricardo Cesar Câmara

January 2018

Orientador: Ailton Akira Shinoda / Resumo: O trabalho propõe uma aplicação com o uso de desvio padrão para definir limites máximos e mínimos de pacotes e bytes para detecção de anomalias nos fluxos de comunicação entre mestre e escravos com o uso do protocolo DNP3 (Distributed Network Protocol v3.0) em uma Smart Grid, além de detecção e bloqueio de ataques originados de máquinas intrusas ou conhecidas. Atualmente, diversas pesquisas vêm sendo desenvolvidas sobre uso de sistemas Smart Grid, no entanto, sua implantação possui alguns fatores de risco. Esses fatores estão associados às redes de transmissão de dados, às tecnologias de aquisição e controle das informações, e às vulnerabilidades intrínsecas da união dessas tecnologias. A principal motivação dessa proposta origina-se da necessidade de se garantir segurança dos sistemas Smart Grid e o potencial apresentado pelas Redes Definidas por Software (Software Defined Networking – SDN) em analisar os fluxos de dados em um switch. Assim, a investigação dessas vulnerabilidades, bem como, a identificação de situações de ataques são relevantes a fim de propor soluções de defesa. Para isto, a tecnologia de SDN apresentou-se como uma solução viável e otimizada para a proteção de sistemas Smart Grid, permitindo que seja realizado um monitoramento dos fluxos entre mestre e escravos, e a coleta de informações para análise, abrindo oportunidades para aplicações de segurança em Smart Grid. Dessa forma, foram realizados três experimentos, o primeiro com o objetivo de mostrar a vuln... (Resumo completo, clicar acesso eletrônico abaixo) / Abstract: The work proposes an application with the use of standard deviation to define limits of maximum and minimum of packets and bytes for detection of anomalies in the communication flows between master and slave using the Distributed Network Protocol v3.0 (DNP3), besides the detection and blocking of attacks originated from intrusive or known machines. Currently several researches have been developed on the use of Smart Grid systems, however, its implementation has some risk factors. These factors are associated with data transmission networks, information acquisition and control technologies and intrinsic vulnerabilities of the union of these technologies. The main motivation of this proposal comes from the need to guarantee security of Smart Grid systems and the potential presented by Software Defined Networking (SDN). Thus, the investigation of these vulnerabilities, as well as, identification of situations of attacks are relevant in order to propose defense solutions. For this, the SDN technology has presented a viable and optimized solution for the protection of Smart Grid systems, allowing the monitoring of masterslave flows and the collection of information for analysis, opening opportunities for security applications in Smart Grid. In this way, three experiments were carried out, the first to show the vulnerability of an insecure Smart Grid, the second to analyze a SDN application in a Smart Grid and the third with two Distributed Denial of Service (DDoS) attack on a Smar... (Complete abstract click electronic access below) / Doutor

Smart Grid

SDN

Segurança

POX

DDoS

Análisis de servicios Web en redes SDN

Córdova Molina, Andrés Fernando

January 2017

Magíster en Ingeniería de Redes de Comunicaciones / El escenario actual de las redes tradicionales es que cada nodo de red tiene su propia unidad de procesamiento y administra sus planos de control y de datos de usuarios, donde la complejidad de la gestión de la red aumenta conforme crece su tamaño. Ante este escenario se da un cambio importante en la manera de hacer networking, adoptándose las redes SDN, Software Defined Networks. Esta tecnología busca mejorar los resultados globales en desempeño y administración de las redes de comunicaciones. Paralelo a esto, el uso de servidores web se ha ido popularizando dentro de Internet, dado que son capaces de brindar diferentes tipos de servicios como transacciones bancarias, streaming, comunicaciones cifradas, etc. Las redes SDN han sido desplegadas por grandes compañías como por ejemplo Google que terminó la implementación de SDN en el año 2011. Aunque SDN está siendo globalmente adoptado, no es utilizado masivamente por empresas de distintos tamaños y no está estandarizado en su totalidad, por lo que es necesario desarrollar estudios que nos indiquen de manera técnica, las diferencias, desventajas y virtudes que tienen en comparación con las tecnologías legacy. casa En este trabajo se desarrolla un escenario de pruebas de un servidor web sobre una red SDN y legacy (red tradicional). Las pruebas consisten en variar la condiciones de red como: delay y packet loss, y la tecnología de acceso entre WLAN (wireless local area network) y LTE (long term evolution). Para construir los escenarios de pruebas se utilizan herramientas de hardware y software al alcance de cualquier investigador. Se emulan componentes de la red y se utiliza hardware especializado, generándose resultados desde el tráfico real que circuló por la infraestructura de los proveedores de Internet. Antes de la ejecución de las pruebas se determina mediante estadística descriptiva, los niveles de delay y packet loss a usar en los experimentos. Este análisis es necesario dado que no se desea incluir condiciones de red que interrumpan totalmente las comunicaciones o que generen comportamientos anómalos en la red. Adicionalmente se calcula el número de muestras necesario para determinar la veracidad de las hipótesis planteadas, con un rango de niveles de confianza entre un 90 % y 70 %. Para la resolución de las hipótesis se diseñan modelos estadísticos que permiten comparar el comportamiento de SDN en el tiempo, estos modelos se usan como entradas para distintas pruebas y análisis de las hipótesis planteadas. Finalmente se concluye que, aunque una infraestructura SDN y una infraestructura legacy presentan marcadas diferencias en su funcionamiento para soportar los servicios web, su desempeño comparando el número de conexiones exitosas y el throughput es similar, y estadísticamente idéntico en varios casos analizados, con un máximo de 3 % de diferencia para las conexiones exitosas y 2;1x10−6 % para el throughput. Se presentan pequeñas diferencias en los casos en los que no se encuentran desempeños similares siendo estos a favor de una infraestructura legacy.

Ciencia de la computación

Servicios web

Delay

SDN

An SDN-based IPS Development Framework in Cloud Networking Environment

January 2014

abstract: Security has been one of the top concerns in cloud community while cloud resource abuse and malicious insiders are considered as top threats. Traditionally, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) have been widely deployed to manipulate cloud security, with the latter one providing additional prevention capability. However, as one of the most creative networking technologies, Software-Defined Networking (SDN) is rarely used to implement IDPS in the cloud computing environment because the lack of comprehensive development framework and processing flow. Simply migration from traditional IDS/IPS systems to SDN environment are not effective enough for detecting and defending malicious attacks. Hence, in this thesis, we present an IPS development framework to help user easily design and implement their defensive systems in cloud system by SDN technology. This framework enables SDN approaches to enhance the system security and performance. A Traffic Information Platform (TIP) is proposed as the cornerstone with several upper layer security modules such as Detection, Analysis and Prevention components. Benefiting from the flexible, compatible and programmable features of SDN, Customized Detection Engine, Network Topology Finder, Source Tracer and further user-developed security appliances are plugged in our framework to construct a SDN-based defensive system. Two main categories Python-based APIs are designed to support developers for further development. This system is designed and implemented based on the POX controller and Open vSwitch in the cloud computing environment. The efficiency of this framework is demonstrated by a sample IPS implementation and the performance of our framework is also evaluated. / Dissertation/Thesis / Masters Thesis Computer Science 2014

Computer science

Cloud Computing

IPS

Openflow

SDN

On iBGP Multicasting in Software Defined Networks

Bassey, Ukemeobong Okon

January 2017

In the Internet today, learnt prefixes are forwarded within autonomous systems (ASs) over internal Border Gateway Protocol (iBGP) sessions. Existing schemes for iBGP routing include the full-mesh (FM) solution, route reflection (RR) solution and confederation. Optimal prefix routing and route diversity are the main strength of the FM solution. However, it is rarely employed in a large networks due to its deficiency in aspects including scalability and large Routing Information Base (RIB) size requirement of routers. This is due to the fact that routers in this topology are required to peer with every other router within the AS. To combat these challenges, the RR scheme provides solution for scalability by decreasing the iBGP sessions requirement. Notwithstanding, the RR solution has its own challenges which includes reduced route diversity, introduction of divergence and forwarding anomalies. Also, the FM optimality may be lost since the Route Reflectors are responsible for reflecting the learnt prefixes to their corresponding clients based on its partial view of the network. The concept of Software Defined Networking (SDN) entails decoupling of the control plane from the forwarding plane such that the control plane is logically centralized benefiting from an overall knowledge of the network for decision making. In this work, we propose a solution based on multicasting which employs relay nodes in the iBGP message dissemination. Our solution brings session management scalability and minimization of duplicate prefix announcement through elimination of peer sessions deemed unnecessary. SDN controller is employed to configure and coordinate the multicast tree.

Prefix Dissemination

Multicasting

Route Reflection

iBGP

SDN

Deploying Software-Defined Networks: a Telco Perspective

Kandoi, Rajat

January 2015

Software-De_ned Networking (SDN) proposes a new network architecture inwhich the control plane and forwarding plane are decoupled. SDN can improvenetwork e_ciency and ease of management through the centralization of the controland policy decisions. However, SDN deployments are currently limited todata-center and experimental environments. This thesis surveys the deploymentof SDN from the perspective of a telecommunication network operator. We discussthe strategies which enable the operator to migrate to a network in whichboth SDN and legacy devices interoperate. As a synthesis of existing technologiesand protocols, we formulate an automated process for the bootstrapping of newlydeployed forwarding devices. Furthermore, we review solutions for programmingthe forwarding devices and for performing topology discovery. The functionalcorrectness of the proposed bootstrapping process is evaluated in an emulatedenvironment.

SDN

bootstrap

southbound protocols

topology discovery

Erstellung von Konfigurationsbackups im humanreadable Format zur Steigerung der Datenverfügbarkeit und -qualität der Backups von Netzelementen

Thiermann, Patrick

27 April 2022

Untersuchungsgegenstand der hier vorgestellten Arbeit sind Backups der Konfigurationen aus den Netzelementen eines Dense Wavelength Division Multiplexing (DWDM)-Netzes. Diese Backups werden regelmäßig von dem verwendeten Netzmanagementsystem erstellt und auf einem Fileserver abgelegt. Die Problematik besteht darin, dass diese Backups für den User eine Blackbox darstellen. Das bedeutet, dass die Backups nicht weiter von dem User ausgelesen und verstanden werden können. Folglich kann im Fall eines korrupten Backups keinerlei Fehleranalyse oder Fehlerbehebung durch den Nutzer vorgenommen werden. Durch die Entwicklung einer Software, die die Konfigurationsdaten aus den Netzelementen in einem human-readable Format sichert, ergeben sich zwei Vorteile: Zum einen wird die Verfügbarkeit der Backups durch die Redundanz gesteigert und zum anderen die Datenqualität der Backups durch die Lesbarkeit verbessert. Für die Bewertung der Datenqualität gibt es viele verschiedene Aspekte von unterschiedlicher Wichtigkeit, die berücksichtigt werden müssen. Diese Merkmale werden im Theorieteil genauer betrachtet und es wird abgewägt, welche Aspekte für die Backups der Konfiguration im human-readable Format relevant sind. Die Sicherung der Daten beschränkt sich auf die Konfiguration der Netzelemente, weshalb Eventdaten oder Alarme aus den Netzelementen nicht weiter betrachtet werden. Die Grundlage für die Entwicklung der Software bildet ein Anforderungskatalog an die Erstellung von Backups in einem human-readable Format. Über das Testen der entwickelten Software lässt sich dann die Umsetzbarkeit und Erfüllung der Anforderungen evaluieren und so eine qualitative Analyse der Qualität und Nutzbarkeit der Backups durchführen. Abschließend wird betrachtet, ob und wie Backups im human-readable Format den Entstörungsprozess in einem SDN bzw. in einem Legacy-Netz unterstützen können.

Exploring Software-Defined Networking Challenges in Sweden : IT Team Knowledge and Skills Gap / Utforska Software-Defined Networking Utmaningar i Sverige : IT-teamets kunskaps- och kompetensgap

Abdelhadi, Ahmed, Fadda, Mohammed Raoof

January 2022

Software-Defined Networking (SDN) is a new evolving approach within the networking domain. The concept is based on decoupling and abstracting the control and data plane of the traditional network devices. This separation facilitates the network operations with many benefits such as faster delivery, better segmentation, scalability, programmability, enhancing the quality of service and the quality of experience. Despite all the benefits, SDN has its own set of challenges.  The purpose of this study is to explore the main challenges in adopting SDN architecture in Swedish organizations. The focus is on the skills gap as one of the main challenges and how Swedish organizations were able to manage it. A qualitative approach has been chosen to conduct this research using semi-structured interviews to collect the data from seven different organizations, using a mixture of a purposive and snowball sampling selection. A thematic approach was then used to generate categories and themes from the collected data. The results are consistent with previous studies when it comes to technical, financial and security challenges. The technical challenges, however, were fewer in comparison with previous studies. A new way of working was presented as a new challenge when implementing SDN solutions. Furthermore, the knowledge gap was mentioned as a key challenge within Swedish organizations when implementing/operating SDN.  Finally, clear recommendations were made to overcome the knowledge gap challenge, from consulting a third-party expert, having a detailed plan, employing a multiphase process for SDN implementation, to having an online learning platform available to the IT team. / Software-Defined Networking (SDN) är en framväxande teknik inom nätverksdomänen. Konceptet är baserat på att frikoppla och abstrahera kontrollplan och dataplan för de traditionella nätverksenheterna. Separationen underlättar nätverksdrift och ger många fördelar såsom, snabbare leverans, bättre segmentering, skalbarhet, förbättrade kvalitet på tjänsten och kvalitet på upplevelsen. Trots många fördelar har SDN också utmaningar. Syftet med denna studie är att utforska de största utmaningarna med att implementera SDN-arkitektur i svenska organisationer. Fokus ligger på kunskapsklyftan som är en av de tidigare identifierade huvudutmaningarna, och hur svenska organisationer har hanterat dessa. En kvalitativ metod har valts för att genomföra denna studie med hjälp av semistrukturerade intervjuer för att samla in data från sju olika organisationer, med hjälp av en blandning av målinriktat och snöbollsurval. En tematisk metod användes sedan för att generera kategorier och teman från den insamlade datan. Resultaten överensstämmer med tidigare studier när det gäller tekniska, ekonomiska och säkerhetsmässiga utmaningar. De tekniska utmaningarna var dock färre jämfört med tidigare studier. Ett nytt arbetssätt presenterades som en ny utmaning vid implementering av en SDN-lösning. Dessutom, nämndes kunskapsklyftan som en central utmaning inom svenska organisationer vid implementering och drift av SDN. Slutligen presenterades tydliga rekommendationer för att övervinna utmaningen med kunskapsgapet, från att konsultera en tredje part, att ha en tydlig plan, använda en flerfasprocess för SDN-implementering samt att ha en digital utbildningsplattform tillgänglig för IT-teamet.

Automation

Centralized Controller

DevOps

Knowledge gap

Programmable Networks

SDN

SDN Challenges

Automation

Centraliserad Kontroller

DevOps

Kunskapsklyfta

Programmerbara Nätverk

SDN

SDN Utmaningar

Information Systems

Optimizing Relay Placement for Scalable Secure VPLS Networks using Facility Location Modeling / Optimering av reläplacering för skalbara säkra VPLS-nätverk med användning av facilitetslokaliseringsmodellering

Tan, Xi

January 2023

Virtual Private LAN Service (VPLS) networks have emerged as a popular solution for providing scalable and efficient Layer 2 connectivity across wide-area networks. However, designing secure and scalable VPLS networks presents significant challenges. The full-mesh tunneling approach in HIP-based VPLS networks results in the N square scalability problem. This thesis addresses the scalability issue in HIP-based Virtual Private LAN Service (VPLS) networks by introducing relay routers. An optimization model based on the Capacitated Facility Location Model is proposed to select the optimal relay routers for a given network topology. The objective of the model is to minimize the cost of setting up and maintaining relay routers while ensuring proper network operation. The proposed solution is evaluated using Software-Defined Networking (SDN) and Mininet-based simulations. The results show that the proposed approach is effective in reducing the scalability issue in HIP-based VPLS networks.

VPLS

HIP

CFLP

SDN

Communication Systems

Kommunikationssystem