Spelling suggestions: "subject:"softwaredefined networking"" "subject:"softwaredefined networking""
61 |
Emulating Software-Defined Small-Cell Wireless Mesh Networks Using ns-3 and MininetPieskä, Marcus January 2018 (has links)
The objective of this thesis was to create a network emulator, suitable for evaluatingsolutions in a small-cell wireless mesh SDN backhaul network environment, by integratingexisting software. The most important efforts in this process have been a transparentintegration of Mininet and ns-3 at both the data and the control plane, with ns-3 servingas the front-end. The goal has been to design the system such that solutions revolvingaround fast failover, resilient routing, and energy efficient small cell management may beevaluated. The constituent components include an augmented ns-3 WiFi module withmillimeter wave communication capabilities; a socket API suitable for remote-controllermanagement, as well as the network emulator Mininet. Mininet in turn integrates OpenvSwitch, virtual hosts in the form of Linux network namespaces, and OpenFlow controllers.The work has also included a brief evaluation of the system, which revealed that the designhas a fundamental flaw. / SOCRA
|
62 |
Interactive monitoring, visualization, and configuration of openflow-based SDN / Visualização, monitoração e configuração de redes definidas por software baseada em openflowIsolani, Pedro Heleno January 2015 (has links)
Redes Definidas por Software (Software-Defined Networking – SDN) é um paradigma emergente que sem dúvida facilita a inovação e simplifica o gerenciamento da rede. SDN provém esses recursos baseado em quatro princípios fundamentais: (i) os planos de controle e encaminhamento da rede são claramente desacoplados, (ii) as decisões de encaminhamento são baseadas em fluxo ao invés de baseadas em destino, (iii) a lógica de encaminhamento é abstraída do hardware para uma camada de software e (iv) um elemento, chamado controlador, é introduzido para coordenar as decisões de encaminhamento. Atualmente muito se tem discutido acerca do uso de SDN em benefício do gerenciamento de redes – onde SDN é considerado uma ferramenta de gerenciamento –, ao invés de se discutir quais são os novos desafios de gerenciamento que esse paradigma introduz. No contexto de SDN, atividades de gerenciamento como monitoramento, visualização e configuração podem ser consideravelmente diferentes das mesmas realizadas em redes tradicionais, merecendo a devida atenção. Por exemplo, um controlador SDN pode ser customizado por administradores de rede de acordo com suas necessidades. Essas customizações podem impactar em consumo de recursos e desempenho no encaminhamento de tráfego. Tal impacto é difícil de se avaliar porque solucões de gerenciamento de redes tradicionais nao foram projetadas para lidar com o contexto de SDN. Como consequencia, uma solução de gerenciamento de SDN deve ser capaz de ajudar o administrador a entender e controlar como o comportamento do controlador SDN afeta a rede. Considerando esse contexto, nós inicialmente desenvolvemos uma análise do tráfego de controle em SDN visando melhor entender o impacto da comunicação entre controlador e dispositivos de encaminhamento. Em seguida, nós propomos uma abordagem interativa para gerenciamento de SDN através do monitoramento, visualização e configuração da rede incluindo o administrador em um ciclo de atividades de gerenciamento, onde metricas específicas de SDN são monitoradas, processadas e mostradas em visualizações interativas. Assim, o administrador da rede é capaz de configurar/ reconfigurar parâmetros de SDN de acordo com seu/sua necessidade. Para demonstrar a viabilidade da nossa abordagem, nós desenvolvemos um protótipo chamado SDN Interactive Manager. Os resultados obtidos através do protótipo apresentaram que a nossa abordagem é capaz de auxiliar o administrador a melhor entender o impacto da configuração de parâmetros relativos a SDN no desempenho da rede como um todo. / Software-Defined Networking (SDN) is an emerging paradigm that arguably facilitates network innovation and simplifies network management. SDN enables these features based on four fundamental principles: (i) network control and forwarding planes are clearly decoupled, (ii) forwarding decisions are flow-based instead of destination-based, (iii) the network forwarding logic is abstracted from a hardware to a programmable software layer, and (iv) an element, called controller, is introduced to coordinate network-wide forwarding decisions. Nowadays, much has been discussed about using SDN principles to improve network management – where SDN is taken as a management tool –, instead of discussing which are the new management challenges that this network paradigm introduces. In the context of SDN, management activities, such as monitoring, visualization, and configuration can be considerably different from traditional networks, thus deserving proper attention. For example, an SDN controller can be customized by network administrators according to their needs. Such customizations might pose an impact on resource consumption and traffic forwarding performance, which is difficult to assess because traditional network management solutions were not designed to cope with the context of SDN. As a consequence, an SDN-tailored management solution must be able to help the administrator to understand and control how the SDN controller behavior affects the network. Considering this context, we initially performed an analysis of control traffic in SDN aiming to better understand the impact of the communication between the controller and forwarding devices. Afterwards, we propose an interactive approach to SDN management through monitoring, visualization, and configuration that includes the administrator in the management loop, where SDN-specific metrics are monitored, processed, and displayed in interactive visualizations. Thus, the administrator is able to make decisions and configure/reconfigure SDN-related parameters according to his/her needs. To show the feasibility of our approach a prototype has been developed, called SDN Interactive Manager. The results obtained with this prototype show that our approach can help the administrator to better understand the impact of configuring SDN-related parameters on the overall network performance.
|
63 |
SDN no contexto de IoT : refatoração de middleware para monitoramento de pacientes crônicos baseada em software-defined networking / SDN in the IoT context : software-defined networking based refactoring of a middleware for chronic patients monitoringArbiza, Lucas Mendes Ribeiro January 2016 (has links)
Algumas palavras e definições comumente utilizadas quando se está falando de Software-Defined Networking, como programabilidade, flexibilidade, ou gerenciamento centralizado, parecem muito apropriadas ao contexto de um outro paradigma de rede: Internet of Things. Em redes domésticas já não é incomum a existência de dispositivos projetados para segurança, climatização, iluminação, monitoramento de saúde e algumas formas de automação que diferem entre si em diversos aspectos, como no modo de operar e de se comunicar. Lidar com este tipo de cenário, que pode diferir bastante daquilo que estamos acostumados na gerência de redes e serviços, fazendo uso dos recursos tradicionais como ferramentas e protocolos bem estabelecidos, pode ser difícil e, em alguns casos, inviável. Com o objetivo de possibilitar o monitoramento remoto de pacientes com doenças crônicas através de dispositivos de healthcare disponíveis no mercado, uma proposta de middleware foi desenvolvida em um projeto de pesquisa para contornar as limitações relacionadas à interoperabilidade, coleta de dados, gerência, segurança e privacidade encontradas nos dispositivos utilizados. O middleware foi projetado com o intuito de executar em access points instalados na casa dos pacientes. Contudo, as limitações de hardware e software do access point utilizado refletem no desenvolvimento, pois restringem o uso de linguagens de programação e recursos que poderiam agilizar e facilitar a implementação dos módulos e dos mecanismos necessários. Os contratempos encontrados no desenvolvimento motivaram a busca por alternativas, o que resultou na refatoração do middleware através de Software-Defined Networking, baseando-se em trabalhos que exploram o uso desse paradigma em redes domésticas. O objetivo deste trabalho é verificar a viabilidade da utilização de Software-Defined Networking no contexto de Internet of Things, mais especificamente, aplicado ao serviço de monitoramento de pacientes da proposta anterior e explorar os possíveis benefícios resultantes. Com a refatoração, a maior parte da carga de serviços da rede e do monitoramento foi distribuída entre servidores remotos dedicados, com isso os desenvolvedores podem ir além das restrições do access point e fazer uso de recursos antes não disponíveis, o que potencializa um processo de desenvolvimento mais ágil e com funcionalidades mais complexas, ampliando as possibilidades do serviço. Adicionalmente, a utilização de Software-Defined Networking proporcionou a entrega de mais de um serviço através de um único access point, escalabilidade e autonomia no gerenciamento das redes e dos dispositivos e na implantação de serviços, fazendo uso de recursos do protocolo OpenFlow, e a cooperação entre dispositivos e serviços a fim de se criar uma representação digital mais ampla do ambiente monitorado. / Some words and definitions usually employed when talking about Software-Defined Networking such as programmability, frexibility, or centralized management sound very appropriate to the context of another network paradigm: Internet of Things. The presence of devices designed for security, air conditioning, lighting, health monitoring and some other automation resources have become common in home networks; those devices may be different in many ways, such as the way they operate and communicate, between others. Dealing with this kind of scenario may differ in many ways from what we are familiar regarding networking and services management; the use of traditional management tools and protocols may be hard or even unfeasible. Aiming to enable the health monitoring of patients with chronical illnesses through using off-the-shelf healthcare devices a middleware proposal was developed in a research project to circumvent interoperability, data collecting, management, security and privacy issues found in employed devices. The middleware was designed to run on access points in the homes of the patients. Although hardware and software limitations of the used access points reflect on the development process, because they restrict the use of programming languages and resources that could be employed to expedite the implementation of necessary modules and features. Development related mishaps have motivated the search for alternatives resulting in the middleware refactoring through Software-Defined Networking, based on previous works where that paradigm is used in home networks. This work aims to verify the feasability of the employment of Software- Defined Networking in the Internet of Things context, and its resulting benefits; specifically in the health monitoring of chronic patients service from the previous proposal. After refactoring most of the network and services load was distributed among remote dedicated servers allowing developers to go beyond the limitations imposed by access points constraints, and to make use of resources not available before enabling agility to the development process; it also enables the development of more complex features expanding services possibilities. Additionally Software-Defined Networking employment provides benefits such as the delivering of more than only one service through the same access point; scalability and autonomy to the network and devices monitoring, as to the service deployment through the use of OpenFlow resources; and devices and services cooperation enabling the built of a wider digital representation of the monitored environment.
|
64 |
Design and Implementation of Scalable High-Performance Network FunctionsHsieh, Cheng-Liang 01 August 2017 (has links)
Service Function Chaining (SFC) enriches the network functionalities to fulfill the increasing demand of value-added services. By leveraging SDN and NFV for SFC, it becomes possible to meet the demand fluctuation and construct a dynamic SFc. However, the integration of SDN with NFV requires packet header modifications, generates excessive network traffics, and induces additional I/O overheads for packet processing. These additional overheads result in a lower system performance, scalability, and agility. To improve the system performance, a co-optimized solution is proposed to implemented NF to achieve a better performance for software-based network functions. To improve the system scalability, a many-field packet classification is proposed to support a more complex ruleset. To improve the system agility, a network function-enabled switch is proposed to lower the network function content switching time. The experiment results show that the performance of a network function is improved by 8 times by leveraging GPU as a parallel computation platform. Moreover, the matching speed to steer network traffics with many-field ruleset is improved by 4 times with the proposed many-field packet classification algorithm. Finally, the proposed system is able to improve system bandwidth 5 times better compared the native solution and maintain the content switch time with the proposed SFC implementation using SDN and NFV.
|
65 |
An outright open source approach for simple and pragmatic internet eXchange / Une approche SDN simple et pragmatique pour les points d'échange InternetBruyère, Marc 06 July 2016 (has links)
L'Internet, le réseaux des réseaux, est indispensable à notre vie moderne et mondialisée et en tant que ressource publique il repose sur l'inter opérabilité et la confiance. Les logiciels libres et open source jouent un rôle majeur pour son développement. Les points d'échange Internet (IXP) où tous les opérateurs de type et de taille différents peuvent s'échanger du trafic sont essentiels en tant que lieux d'échange neutres et indépendants. Le service fondamental offert par un IXP est une fabrique de commutation de niveau 2 partagée. Aujourd'hui les IXP sont obligés d'utiliser des technologies propriétaires pour leur fabrique de commutations. Bien qu'une fabrique de commutations de niveau 2 se doit d'être une fonctionnalité de base, les solutions actuelles ne répondent pas correctement aux exigences des IXPs. Cette situation est principalement dûe au fait que les plans de contrôle et de données sont intriqués sans possibilités de programmer finement le plan de commutation. Avant toute mise en œuvre, il est primordial de tester chaque équipement afin de vérifier qu'il répond aux attentes mais les solutions de tests permettant de valider les équipements réseaux sont toutes non open source, commerciales et ne répondent pas aux besoins techniques d'indépendance et de neutralité. Le "Software Defined Networking" (SDN), nouveau paradigme découplant les plans de contrôle et de données utilise le protocole OpenFlow qui permet de programmer le plan de commutation Ethernet haute performance. Contrairement à tous les projets de recherches qui centralisent la totalité du plan de contrôle au dessus d'OpenFlow, altérant la stabilité des échanges, nous proposons d'utiliser OpenFlow pour gérer le plan de contrôle spécifique à la fabrique de commutation. L'objectif principal de cette thèse est de proposer "Umbrella", fabrique de commutation simple et pragmatique répondant à toutes les exigences des IXPs et en premier lieu à la garantie d'indépendance et de neutralité des échanges. Dans la première partie, nous présentons l'architecture "Umbrella" en détail avec l'ensemble des tests et validations démontrant la claire séparation du plan de contrôle et du plan de données pour augmenter la robustesse, la flexibilité et la fiabilité des IXPs. Pour une exigence d'autonomie des tests nécessaires pour les IXPs permettant l'examen de la mise en œuvre d'Umbrella et sa validation, nous avons développé l'"Open Source Network Tester" (OSNT), un système entièrement open source "hardware" de génération et de capture de trafic. OSNT est le socle pour l"OpenFLow Operations Per Second Turbo" (OFLOPS Turbo), la plate-forme d'évaluation de commutation OpenFlow. Le dernier chapitre présente le déploiement de l'architecture "Umbrella" en production sur un point d'échange régional. Les outils de test que nous avons développés ont été utilisés pour vérifier les équipements déployés en production. Ce point d'échange, stable depuis maintenant un an, est entièrement géré et contrôlé par une seule application Web remplaçant tous les systèmes complexes et propriétaires de gestion utilisés précédemment. / In almost everything we do, we use the Internet. The Internet is indispensable for our today's lifestyle and to our globalized financial economy. The global Internet traffic is growing exponentially. IXPs are the heart of Internet. They are highly valuable for the Internet as neutral exchange places where all type and size of autonomous systems can "peer" together. The IXPs traffic explode. The 2013 global Internet traffic is equivalent with the largest european IXP today. The fundamental service offer by IXP is a shared layer2 switching fabric. Although it seems a basic functionality, today solutions never address their basic requirements properly. Today networks solutions are inflexible as proprietary closed implementation of a distributed control plane tight together with the data plane. Actual network functions are unmanageable and have no flexibility. We can understand how IXPs operators are desperate reading the EURO-IX "whishlist" of the requirements who need to be implemented in core Ethernet switching equipments. The network vendor solutions for IXPs based on MPLS are imperfect readjustment. SDN is an emerging paradigm decoupling the control and data planes, on opening high performance forwarding plane with OpenFlow. The aims of this thesis is to propose an IXP pragmatic Openflow switching fabric, addressing the critical requirements and bringing more flexibility. Transparency is better for neutrality. IXPs needs a straightforward more transparent layer2 fabric where IXP participants can exchange independently their traffic. Few SDN solutions have been presented already but all of them are proposing fuzzy layer2 and 3 separation. For a better stability not all control planes functions can be decoupled from the data plane. As other goal statement, networking testing tools are essential for qualifying networking equipment. Most of them are software based and enable to perform at high speed with accuracy. Moreover network hardware monitoring and testing being critical for computer networks, current solutions are both extremely expensive and inflexible. The experience in deploying Openflow in production networks has highlight so far significant limitations in the support of the protocol by hardware switches. We presents Umbrella, a new SDN-enabled IXP fabric architecture, that aims at strengthening the separation of control and data plane to increase both robustness, flexibility and reliability of the exchange. Umbrella abolish broadcasting with a pseudo wire and segment routing approach. We demonstrated for an IXP fabric not all the control plane can be decoupled from the date plane. We demonstrate Umbrella can scale and recycle legacy non OpenFlow core switch to reduce migration cost. Into the testing tools lacuna we launch the Open Source Network Tester (OSNT), a fully open-source traffic generator and capture system. Additionally, our approach has demonstrated lower-cost than comparable commercial systems while achieving comparable levels of precision and accuracy; all within an open-source framework extensible with new features to support new applications, while permitting validation and review of the implementation. And we presents the integration of OpenFLow Operations Per Second (OFLOPS), an OpenFlow switch evaluation platform, with the OSNT platform, a hardware-accelerated traffic generation and capturing platform. What is better justification than a real deployment ? We demonstrated the real flexibility and benefit of the Umbrella architecture persuading ten Internet Operators to migrate the entire Toulouse IXP. The hardware testing tools we have developed have been used to qualify the hardware who have been deployed in production. The TouIX is running stable from a year. It is fully managed and monitored through a single web application removing all the legacy complex management systems.
|
66 |
SDEFIX : gerenciando fluxos elefantes em pontos de troca de tráfego baseados em redes defenidas por software / SDEFIX : manage elephant flows in SDN-Based IXP networksKnob, Luis Augusto Dias January 2016 (has links)
Os Pontos de Troca de Tráfego participam de maneira substancial e crítica no ecossistema da Internet, possibilitando conexões entre múltiplos Sistemas Autônomos (ASes, do inglês Autonomous Systems). O gerenciamento das redes de PTT possui como objetivos primários, o gerenciamento dos chamados fluxos elefante (do inglês, elephant flows). Fluxos elefante tendem a existir em número reduzido, porém correspondem à maioria do tráfego em uma infraestrutura de rede. O gerenciamento dos fluxos elefante envolve uma adequada identificação e quando necessário, um redirecionamento destes fluxos para caminhos mais apropriados, de forma a minimizar os possíveis impactos sobre os outros fluxos ativos na rede. Além disso, o gerenciamento de fluxos elefante tornou-se um importante objeto de discussão em PTTs baseados em redes SDN, principalmente porque estas redes dispõem de controladores que possuem uma visão consistente da rede subjacente, o que permite uma gerência destes fluxos de forma refinada. Nesta dissertação, será proposto, desenvolvido e avaliado um sistema de identificação dos fluxos elefante e seus respectivos caminhos de rede, em conjunto com um sistema de recomendação, que possui o objetivo de sugerir configurações alternativas para os fluxos elefante identificados anteriormente nas redes de PTTs baseadas em SDN. Neste sistema, o operador do PTT pode definir templates que em última instância definem como os caminhos dos fluxos elefante serão modificados para atender objetivos específicos. Por fim, será demonstrado que o sistema proposto pode auxiliar o operador do PTT a identificar, gerenciar e mitigar o impacto dos fluxos elefante da rede do PTT. / Internet Exchange Points (IXPs) play a key role in the current Internet architecture enabling cost-effective connections among multiple autonomous systems (ASes). Management of IXP networks is primarily concerned with the management of the so-called elephant flows. Such flows represent a small portion of the total flows of a IXP network but usually have high impact on the overall traffic. Managing elephant flows involves adequate identification and eventually rerouting of such flows to more appropriate locations to minimize the possible negative impact on the other (mice) flows active in the network. Elephant flow management becomes more important in SDN-based IXPs that require controllers to have a consistent view of the underlying network to allow fine-grained adjustment. In this master thesis, we propose, develop, and evaluate an identification system to identify elephant flows and their respectively paths, as well as a recommendation system to suggest alternative configurations to previously identified elephant flows in an SDN-based IXP network. In this solution, the IXP operator can define templates that ultimately define how elephant flows can be reconfigured to achieve a specific objective. We demonstrate that our system can help IXP operators to identify, handle and mitigate the impact of elephant flows in the IXP network.
|
67 |
NFV-PEAR : posicionamento e encadeamento adaptativo de funções virtuais de redeMiotto, Gustavo January 2018 (has links)
O projeto de mecanismos flexíveis e eficientes para o posicionamento e encadeamento de funções virtualizadas de rede (VNFs) é essencial para o sucesso de Virtualização de Funções de Rede (Network Function Virtualization, NFV). A maioria das soluções existentes, no entanto, considera custos fixos (e imutáveis) de processamento de fluxos e de largura de banda ao posicionar as VNFs em Pontos de Presença da Rede (N-PoPs). Essa limitação torna-se crítica em redes NFV com fluxos cujos comportamentos são altamente dinâmicos e nas quais os requisitos de processamento e os recursos disponíveis nos NPoPs mudam constantemente. Para preencher essa lacuna, propõe-se o NFV-PEAR, uma plataforma para o posicionamento e encadeamento adaptativo de VNFs. O NFV-PEAR visa (re)organizar periodicamente os posicionamentos e encadeamentos de VNFs previamente determinados, objetivando-se manter um desempenho fim-a-fim aceitável mesmo durante flutuações nos custos de processamento e nos requisitos dos fluxos. Paralelamente, busca-se minimizar as mudanças na rede (por exemplo, a realocação de VNFs ou de fluxos) realizadas para cumprir esse objetivo. Os resultados obtidos, a partir de uma avaliação experimental, mostram que o NFV-PEAR tem potencial para reduzir significativamente o número de mudanças na rede necessárias para assegurar o desempenho fim-a-fim esperado para os fluxos, garantindo assim o funcionamento estável dos serviços. / The design of flexible and efficient mechanisms for proper placement and chaining of virtual network functions (VNFs) is key for the success of Network Function Virtualization (NFV). Most state-of-the-art solutions, however, consider fixed (and immutable) flow processing and bandwidth requirements when placing VNFs in the Network Points of Presence (N-PoPs). This limitation becomes critical in NFV-enabled networks having highly dynamic flow behavior, and in which flow processing requirements and available N-PoP resources change constantly. To bridge this gap, we present NFV-PEAR, a platform for adaptive VNF placement and chaining. In NFV-PEAR, network operators may periodically (re)arrange previously determined placement and chaining of VNFs, with the goal of maintaining acceptable end-to-end flow performance despite fluctuations of flow processing costs and requirements. In parallel, NFV-PEAR seeks to minimize network changes (e.g., reallocation of VNFs or network flows). The results obtained from an experimental evaluation provide evidence that NFV-PEAR has potential to deliver more stable operation of network services, while significantly reducing the number of network changes required to ensure end-to-end flow performance.
|
68 |
ARKHAM : an advanced refinement toolkit for handling service level agreements in software-defined networking / ARKHAM : um avançado conjunto de ferramentas de refinamento para manipulação de acordos de nível de serviço em redes definidas por softwareMachado, Cristian Cleder January 2015 (has links)
Redes definidas por software (Software-Defined Networking – SDN) tem como objetivo fornecer uma arquitetura mais sofisticada e precisa para gerenciar e monitorar o tráfego da rede. SDN permite centralizar parte da lógica de tomada de decisão sobre o processamento de fluxo e roteamento de pacotes em dispositivos chamados controladores. Apesar disso, o comportamento dos dispositivos de rede e suas configurações são muitas vezes escritos para situações específicas diretamente no controlador. Isto torna-se um problema quando há um aumento no número de elementos, ligações e serviços de rede, resultando numa grande quantidade de regras e uma elevada sobrecarga relacionada à configuração da rede. Como alternativa , técnicas, tais como gerenciamento baseado em políticas (Policy-Based Management – PBM) e refinamento de políticas podem ser utilizadas por operadores de alto nível para escrever Acordos de Nível de Serviço (Service Level Agreements – SLAs) em uma interface amigável, sem a necessidade de alterar o código implementado nos controladores. No entanto, o refinamento de políticas na nova área de pesquisa SDN tem sido um tema negligenciado, em parte, porque o refinamento não é um processo trivial. Ao utilizar SLAs, a sua tradução para políticas de baixo nível, por exemplo, regras para a configuração de elementos de comutação, não é simples. Se essa tradução não for realizada corretamente, os elementos do sistema podem não ser capaz de cumprir os requisitos implícitos especificados no SLA. Neste contexto, este trabalho apresenta ARKHAM: um avançado conjunto de ferramentas de refinamento para manipulação de acordos de nível de serviço em redes definidas por software. Este conjunto de ferramentas é composto por (i) um framework para criação de políticas que usa raciocínio lógico para a especificação de objetivos de nível de negócio e automatização de seu refinamento; (ii) um controlador OpenFlow que realiza a coleta de informações e implantação de configurações na rede; e (iii) uma representação formal de políticas de alto nível utilizando Event Calculus e aplicando raciocínio lógico para modelar tanto o comportamento do sistema quanto o processo de refinamento de políticas para o gerenciamento de SDN. Como resultado, a abordagem é capaz de identificar as necessidades e os recursos que precisam ser configurados de acordo com o refinamento do SLA, podendo assim configurar e executar com sucesso ações dinâmicas de suporte à reconfiguração de infraestrutura. / Software-Defined Networking (SDN) aims to provide a more sophisticated and accurate architecture for managing and monitoring network traffic. SDN permits centralizing part of the decision-making logic regarding flow processing and packet routing in controller devices. Despite this, the behavior of network devices and their configurations are often written for specific situations directly in the controller. This becomes an issue when there is an increase in the number of network elements, links, and services, resulting in a large amount of rules and a high overhead related to network configuration. As an alternative, techniques such as Policy- Based Management (PBM) and policy refinement can be used by high-level operators to write Service Level Agreements (SLAs) in a user-friendly interface without the need to change the code implemented in the controllers. However, policy refinement in the new research area of SDN has been a neglected topic, in part, because refinement is a nontrivial process. When using SLAs, their translation to low-level policies, e.g., rules for configuring switching elements, is not straightforward. If this translation is not performed properly, the system elements may not be able to meet the implicit requirements specified in the SLA. In this context, we introduce ARKHAM: an Advanced Refinement Toolkit for Handling Service Level Agreements in Software-Defined Networking. This work presents (i) a Policy Authoring Framework that uses logical reasoning for the specification of business-level goals and to automate their refinement; (ii) an OpenFlow controller which performs information gathering and configuration deployment; and (iii) a formal representation using event calculus that describes our solution. As a result, our approach is capable of identifying the requirements and resources that need to be configured in accordance with SLA refinement, and can successfully configure and execute dynamic actions for supporting infrastructure reconfiguration.
|
69 |
OpenFlow-enabled dynamic DMZ for local networksWu, Haotian January 1900 (has links)
Doctor of Philosophy / Department of Electrical and Computer Engineering / Don M. Gruenbacher / Caterina M. Scoglio / Cybersecurity is playing a vital role in today's network. We can use security devices, such as a deep packet inspection (DPI) device, to enhance cybersecurity. However, a DPI has a limited amount of inspection capability, which cannot catch up with the ever-increasing volume of network traffic, and that gap is getting even larger. Therefore, inspecting every single packet using DPI is impractical.
Our objective is to find a tradeoff between network security and network performance. More explicitly, we aim at maximizing the utilization of security devices, while not decreasing network throughput. We propose two prototypes to address this issue in a demilitarized zone (DMZ) architecture.
Our first prototype involves a flow-size based DMZ criterion. In a campus network elephant flows, flows with large data rate, are usually science data and they are mostly safe. Moreover, the majority of the network bandwidth is consumed by elephant flows. Therefore, we propose a DMZ prototype that we inspect elephant flows for a few seconds, and then we allow them to bypass DPI inspection, as long as they are identified as safe flows; and they can be periodically inspected to ensure they remain safe.
Our second prototype is a congestion-aware DMZ scheme. Instead of determining whether a flow is safe or not by its size, we treat all flows identically. We measure the data rates of all flows, and use a global optimization algorithm to determine which flows are allowed to safely bypass a DPI. The objective is to maximize DPI utilization.
Both prototypes are implemented using OpenFlow in this work, and extensive experiments are performed to test both prototypes' feasibility. The results attest that the two prototypes are effective in ensuring network security while not compromising network performance. A number of tools for SDN network configuring and testing are also developed.
|
70 |
SDN-based Proactive Defense Mechanism in a Cloud SystemJanuary 2015 (has links)
abstract: Cloud computing is known as a new and powerful computing paradigm. This new generation of network computing model delivers both software and hardware as on-demand resources and various services over the Internet. However, the security concerns prevent users from adopting the cloud-based solutions to fulfill the IT requirement for many business critical computing. Due to the resource-sharing and multi-tenant nature of cloud-based solutions, cloud security is especially the most concern in the Infrastructure as a Service (IaaS). It has been attracting a lot of research and development effort in the past few years.
Virtualization is the main technology of cloud computing to enable multi-tenancy.
Computing power, storage, and network are all virtualizable to be shared in an IaaS system. This important technology makes abstract infrastructure and resources available to users as isolated virtual machines (VMs) and virtual networks (VNs). However, it also increases vulnerabilities and possible attack surfaces in the system, since all users in a cloud share these resources with others or even the attackers. The promising protection mechanism is required to ensure strong isolation, mediated sharing, and secure communications between VMs. Technologies for detecting anomalous traffic and protecting normal traffic in VNs are also needed. Therefore, how to secure and protect the private traffic in VNs and how to prevent the malicious traffic from shared resources are major security research challenges in a cloud system.
This dissertation proposes four novel frameworks to address challenges mentioned above. The first work is a new multi-phase distributed vulnerability, measurement, and countermeasure selection mechanism based on the attack graph analytical model. The second work is a hybrid intrusion detection and prevention system to protect VN and VM using virtual machines introspection (VMI) and software defined networking (SDN) technologies. The third work further improves the previous works by introducing a VM profiler and VM Security Index (VSI) to keep track the security status of each VM and suggest the optimal countermeasure to mitigate potential threats. The final work is a SDN-based proactive defense mechanism for a cloud system using a reconfiguration model and moving target defense approaches to actively and dynamically change the virtual network configuration of a cloud system. / Dissertation/Thesis / Doctoral Dissertation Computer Science 2015
|
Page generated in 0.0852 seconds