A dissertation submitted to the Faculty of Engineering and the Built Environment, University of the Witwatersrand, Johannesburg, in fulfilment of the requirements for the degree of Master of Science in Engineering, 2016 / Data-intensive research computing requires the capability to transfer les over
long distances at high throughput. Stateful rewalls introduce su cient packet loss
to prevent researchers from fully exploiting high bandwidth-delay network links [25].
To work around this challenge, the science DMZ design [19] trades o stateful packet
ltering capability for loss-free forwarding via an ordinary Ethernet switch. We propose
a novel extension to the science DMZ design, which uses an SDN-based rewall.
This report introduces NFShunt, a rewall based on Linux's Net lter combined
with OpenFlow switching. Implemented as an OpenFlow 1.0 controller coupled to
Net lter's connection tracking, NFShunt allows the bypass-switching policy to be
expressed as part of an iptables rewall rule-set. Our implementation is described
in detail, and latency of the control-plane mechanism is reported. TCP throughput
and packet loss is shown at various round-trip latencies, with comparisons to
pure switching, as well as to a high-end Cisco rewall. Cost, as well as operations
and maintenance aspects, are compared and analysed. The results support reported
observations regarding rewall introduced packet-loss, and indicate that the SDN
design of NFShunt is a technically viable and cost-e ective approach to enhancing
a traditional rewall to meet the performance needs of data-intensive researchers / GS2016
| Identifer | oai:union.ndltd.org:netd.ac.za/oai:union.ndltd.org:wits/oai:wiredspace.wits.ac.za:10539/21061 |
| Date | January 2016 |
| Creators | Miteff, Simeon |
| Source Sets | South African National ETD Portal |
| Language | English |
| Detected Language | English |
| Type | Thesis |
| Format | Online resource (97 pages), application/pdf |
Page generated in 0.0122 seconds