Availability-Aware Resource Allocation for Containerized Network Functions

Huang, Zhuonan

31 May 2021

Deploying virtual network functions (VNFs) such as WAN accelerators, network address translators (NATs) and 5G functions at the network edge (NE) can significantly reduce the experienced latency of delay-ultrasensitive applications (e.g., autonomous vehicles and Internet of things). Nonetheless, a major challenge to their anticipated large-scale deployment is the ability to efficiently allocate and manage the scarce NE resources hosting these functions. In this thesis, we describe a novel containerized infrastructure manager (cIM) that extends current managers, such as Kubernetes, with the necessary building blocks to provide an accurate yet elastic resource allocation service to containerized VNFs at scale. The proposed cIM treats the main modules of the VNFs, i.e., the containerized VNF components (cNFCs), as atomic special-purpose functions that can be rapidly deployed to form complex network services. The main component of the proposed cIM, the resource reservation manager (RRM), employs concepts of risk pooling in the insurance industry to accurately reserve the needed resources for the hosting containers. More precisely, to meet anticipated cNFCs demand fluctuation, the RRM accurately reserves a quota of additional resources that are shared by the containerized functions collected together in clusters. The reserved quota of resources ensures the desired availability level of the cNFCs without over-provisioning the scarce resources of the NE. The RRM considers three different situations namely that of a cNFC instance, a cluster of cNFCs or multiple cNFC clusters sharing the reserved resources. Different allocation approaches are then presented for each of these three situations. Simulation experiments are conducted to evaluate the performance of our reservation schemes from different aspects. The corresponding experimental results demonstrate that our proposed cIM can significantly improve the performance of the cNFCs and guarantee their desired availability with minimal resource reservation. Optimal allocation solutions of the resource pools are further proposed considering the desired availability level and the limit of resource pools. The evaluation results demonstrate that our optimization models and solutions obtain the best performance of relevant testing parameters, e.g., availability.

Virtual network functions

Containers

Resource reservation

Statistical modelling

Availability

Security Analysis of a Software Defined Wide Area Network Solution

Rajendran, Ashok

January 2016

Enterprise wide area network (WAN) is a private network that connects the computers and other devices across an organisation's branch locations and the data centers. It forms the backbone of enterprise communication. Currently, multiprotocol label switching (MPLS) is commonly used to provide this service. As a recent alternative to MPLS, software-dened wide area networking (SD-WAN) solutions are being introduced as an IP based cloud-networking service for enterprises. SD-WAN virtualizes the networking service and eases the complexity of conguring and managing the enterprise network by moving these tasks to software and a central controller. The introduction of new technologies causes concerns about their security. Also, this new solution is introduced as a replacement for MPLS, which has been considered secure and has been in use for more than 16 years. Thus, there is a need to analyze the security of SD-WAN, which is the goal of this thesis. In this thesis, we perform a security analysis of a commercial SD-WAN solution, by finding its various attack surfaces, associated vulnerabilities and design weaknesses. We choose Nuage VNS, an SD-WAN product provided by Nuage Networks, as the analysis target. As a result, many attack surfaces and security weaknesses were found and reported, especially in the Customer Premises Equipment (CPE). In particular, we found vulnerabilities in the CPE's secure bootstrapping method and demonstrated some attacks by exploiting them. Finally, we propose mitigation steps to avoid the attacks. The results of this thesis will help both the service provider and the SD-WAN solution vendor to know about the attack surfaces and weaknesses of SD-WAN before o ering it to their customers. We also help in implementing the temporary countermeasures to mitigate the attacks. The results have been presented to the service provider and the vendor of the SD-WAN product.

SD-WAN

Nuage VNS

virtual network functions

security

Engineering and Technology

Teknik och teknologier

Elektroteknik och elektronik