Showing papers on "Network management published in 2014"

A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks

Abstract: The idea of programmable networks has recently re-gained considerable momentum due to the emergence of the Software-Defined Networking (SDN) paradigm. SDN, often referred to as a ''radical new idea in networking'', promises to dramatically simplify network management and enable innovation through network programmability. This paper surveys the state-of-the-art in programmable networks with an emphasis on SDN. We provide a historic perspective of programmable networks from early ideas to recent developments. Then we present the SDN architecture and the OpenFlow standard in particular, discuss current alternatives for implementation and testing of SDN-based protocols and services, examine current and future SDN applications, and explore promising research directions based on the SDN paradigm.

Software-Defined Networking: A Comprehensive Survey

Abstract: Software-Defined Networking (SDN) is an emerging paradigm that promises to change this state of affairs, by breaking vertical integration, separating the network's control logic from the underlying routers and switches, promoting (logical) centralization of network control, and introducing the ability to program the network. The separation of concerns introduced between the definition of network policies, their implementation in switching hardware, and the forwarding of traffic, is key to the desired flexibility: by breaking the network control problem into tractable pieces, SDN makes it easier to create and introduce new abstractions in networking, simplifying network management and facilitating network evolution. In this paper we present a comprehensive survey on SDN. We start by introducing the motivation for SDN, explain its main concepts and how it differs from traditional networking, its roots, and the standardization activities regarding this novel paradigm. Next, we present the key building blocks of an SDN infrastructure using a bottom-up, layered approach. We provide an in-depth analysis of the hardware infrastructure, southbound and northbound APIs, network virtualization layers, network operating systems (SDN controllers), network programming languages, and network applications. We also look at cross-layer problems such as debugging and troubleshooting. In an effort to anticipate the future evolution of this new paradigm, we discuss the main ongoing research efforts and challenges of SDN. In particular, we address the design of switches and control platforms -- with a focus on aspects such as resiliency, scalability, performance, security and dependability -- as well as new opportunities for carrier transport networks and cloud providers. Last but not least, we analyze the position of SDN as a key enabler of a software-defined environment.

Network Innovation using OpenFlow: A Survey

Abstract: OpenFlow is currently the most commonly deployed Software Defined Networking (SDN) technology. SDN consists of decoupling the control and data planes of a network. A software-based controller is responsible for managing the forwarding information of one or more switches; the hardware only handles the forwarding of traffic according to the rules set by the controller. OpenFlow is an SDN technology proposed to standardize the way that a controller communicates with network devices in an SDN architecture. It was proposed to enable researchers to test new ideas in a production environment. OpenFlow provides a specification to migrate the control logic from a switch into the controller. It also defines a protocol for the communication between the controller and the switches. As discussed in this survey paper, OpenFlow-based architectures have specific capabilities that can be exploited by researchers to experiment with new ideas and test novel applications. These capabilities include software-based traffic analysis, centralized control, dynamic updating of forwarding rules and flow abstraction. OpenFlow-based applications have been proposed to ease the configuration of a network, to simplify network management and to add security features, to virtualize networks and data centers and to deploy mobile systems. These applications run on top of networking operating systems such as Nox, Beacon, Maestro, Floodlight, Trema or Node.Flow. Larger scale OpenFlow infrastructures have been deployed to allow the research community to run experiments and test their applications in more realistic scenarios. Also, studies have measured the performance of OpenFlow networks through modelling and experimentation. We describe the challenges facing the large scale deployment of OpenFlow-based networks and we discuss future research directions of this technology.

PayLess: A low cost network monitoring framework for Software Defined Networks

Abstract: Software Defined Networking promises to simplify network management tasks by separating the control plane (a central controller) from the data plane (switches). OpenFlow has emerged as the de facto standard for communication between the controller and switches. Apart from providing flow control and communication interfaces, OpenFlow provides a flow level statistics collection mechanism from the data plane. It exposes a high level interface for per flow and aggregate statistics collection. Network applications can use this high level interface to monitor network status without being concerned about the low level details. In order to keep the switch design simple, this statistics collection mechanism is implemented as a pull-based service, i.e. network applications and in turn the controller has to periodically query the switches about flow statistics. The frequency of polling the switches determines monitoring accuracy and network overhead. In this paper, we focus on this trade-off between monitoring accuracy, timeliness and network overhead. We propose PayLess - a monitoring framework for SDN. PayLess provides a flexible RESTful API for flow statistics collection at different aggregation levels. It uses an adaptive statistics collection algorithm that delivers highly accurate information in real-time without incurring significant network overhead. We utilize the Floodlight controller's API to implement the proposed monitoring framework. The effectiveness of our solution is demonstrated through emulations in Mininet.

Enforcing network-wide policies in the presence of dynamic middlebox actions using flowtags

Abstract: Middleboxes provide key security and performance guarantees in networks. Unfortunately, the dynamic traffic modifications they induce make it difficult to reason about network management tasks such as access control, accounting, and diagnostics. This also makes it difficult to integrate middleboxes into SDN-capable networks and leverage the benefits that SDN can offer.In response, we develop the FlowTags architecture. FlowTags-enhanced middleboxes export tags to provide the necessary causal context (e.g., source hosts or internal cache/miss state). SDN controllers can configure the tag generation and tag consumption operations using new FlowTags APIs. These operations help restore two key SDN tenets: (i) bindings between packets and their "origins," and (ii) ensuring that packets follow policy-mandated paths.We develop new controller mechanisms that leverage FlowTags. We show the feasibility of minimally extending middleboxes to support FlowTags. We also show that FlowTags imposes low overhead over traditional SDN mechanisms. Finally, we demonstrate the early promise of FlowTags in enabling new verification and diagnosis capabilities.

Certificateless Remote Anonymous Authentication Schemes for WirelessBody Area Networks

Abstract: Wireless body area network (WBAN) has been recognized as one of the promising wireless sensor technologies for improving healthcare service, thanks to its capability of seamlessly and continuously exchanging medical information in real time. However, the lack of a clear in-depth defense line in such a new networking paradigm would make its potential users worry about the leakage of their private information, especially to those unauthenticated or even malicious adversaries. In this paper, we present a pair of efficient and light-weight authentication protocols to enable remote WBAN users to anonymously enjoy healthcare service. In particular, our authentication protocols are rooted with a novel certificateless signature (CLS) scheme, which is computational, efficient, and provably secure against existential forgery on adaptively chosen message attack in the random oracle model. Also, our designs ensure that application or service providers have no privilege to disclose the real identities of users. Even the network manager, which serves as private key generator in the authentication protocols, is prevented from impersonating legitimate users. The performance of our designs is evaluated through both theoretic analysis and experimental simulations, and the comparative studies demonstrate that they outperform the existing schemes in terms of better trade-off between desirable security properties and computational overhead, nicely meeting the needs of WBANs.

DDoS Attack Protection in the Era of Cloud Computing and Software-Defined Networking

Abstract: Cloud computing has become the real trend of enterprise IT service model that offers cost-effective and scalable processing. Meanwhile, Software-Defined Networking (SDN) is gaining popularity in enterprise networks for flexibility in network management service and reduced operational cost. There seems a trend for the two technologies to go hand-in-hand in providing an enterprise's IT services. However, the new challenges brought by the marriage of cloud computing and SDN, particularly the implications on enterprise network security, have not been well understood. This paper sets to address this important problem. We start by examining the security impact, in particular, the impact on DDoS attack defense mechanisms, in an enterprise network where both technologies are adopted. We find that SDN technology can actually help enterprises to defend against DDoS attacks if the defense architecture is designed properly. To that end, we propose a DDoS attack mitigation architecture that integrates a highly programmable network monitoring to enable attack detection and a flexible control structure to allow fast and specific attack reaction. The simulation results show that our architecture can effectively and efficiently address the security challenges brought by the new network paradigm.

Methods and Apparatus for Performing In-Service Software Upgrade for a Network Device Using System Virtulization

Abstract: A method and/or network system is able to perform an in-service software upgrade (“ISSU”) using virtualization technology while ongoing network service is maintained. After receipt of an upgrade signal such as a command of software upgrade, a new or second virtual machine (“VM”) is created in response to the upgrade signal. After downloading the new version of program to the second VM while maintaining the first version of program running on the first VM, the process for providing network management begins to migrate from the first version of program to the new version of program. The process simultaneously facilitates ISSU for a data-path module such as a line card to convert from the previous version of software to the new version of the software.

On the controller placement for designing a distributed SDN control layer

Abstract: The software-defined network (SDN) advocates a centralized network control, where a controller manages a network from a global view of the network. Large SDN networks may consist of multiple controllers or controller domains that distribute the network management between them, where each controller has a logically centralized but physically distributed vision of the network. In this context, a key challenge faced by providers is to define a scalable control network that exploits the benefits of SDN when used in conjunction with efficient management strategies. Most of the control layer models proposed are not concerned with controller scalability, because they assume that commercial controllers are scalable in terms of capacity (quantity of flows processed per second). However, it has been demonstrated that overloads and long propagation delays among controllers and controllers-switches can lead to a long response time of the controllers, affecting their ability to respond to network events in a very short time and reducing the reliability of communication. In this work we define the principles for designing a scalable control layer for SDN, and show the desired control layer characteristics that optimize the management of the network. We address these principles from the perspective of the controller placement problem. For this purpose we improve and evaluate our previous approach, the algorithm called k-Critical. K-Critical discovers the minimum number of controllers and their location to create a robust control topology that deals robustly with failures and balances the load among the selected controllers. The results demonstrate the effectiveness of our solution by comparing it with other controller placement solutions. © 2014 IFIP.

Software-Defined Networking Paradigms in Wireless Networks: A Survey

Abstract: Software-defined networking (SDN) has generated tremendous interest from both academia and industry. SDN aims at simplifying network management while enabling researchers to experiment with network protocols on deployed networks. This article is a distillation of the state of the art of SDN in the context of wireless networks. We present an overview of the major design trends and highlight key differences between them.

Software-defined networking for Smart Grid communications: Applications, challenges and advantages

Abstract: Future power systems are characterized by a high degree of complexity with a large number of intelligent devices, exchanging and processing both huge amounts of data and realtime critical information. Accordingly reliable, real-time capable and secure communication networks are required for enabling autonomous monitoring, management and control to guarantee stable power system operation. In this paper, we present and analyse a flexible and dynamic network control approach based on Software-Defined Networking (SDN) for meeting the specific communication requirements of both distribution and transmission power grid. Therefore a testbed is introduced, enabling the evaluation of multiple failure scenarios such as link disturbance and congestion by analysing corresponding fast recovery and prioritization solutions. The performance and robustness of the developed strategies is shown using highly-critical monitoring and control messages on basis of IEC 61850 and considering the mutual impact with low priority background traffic. Results indicate the advantages of SDN compared to traditional routing and Quality-of-Service mechanisms, providing a more reliable communication network, which is able to handle complex failure scenarios. In particular, SDN enables the integration of diverse network management functions and thus offers the power system new options for dealing with faults even in the case of overall outages. On the basis of these results, we demonstrate challenges and derive future benefits for a SDN-enabled Smart Grid communication network, holding the potential to evolve into a self-healing infrastructure.

Intelligent SDN based Traffic (de)Aggregation and Measurement Paradigm (iSTAMP)

Abstract: Fine-grained traffic flow measurement, which provides useful information for network management tasks and security analysis, can be challenging to obtain due to monitoring resource constraints. The alternate approach of inferring flow statistics from partial measurement data has to be robust against dynamic temporal/spatial fluctuations of network traffic. In this paper, we propose an intelligent Traffic (de)Aggregation and Measurement Paradigm (iSTAMP), which partitions TCAM entries of switches/routers into two parts to: 1) optimally aggregate part of incoming flows for aggregate measurements, and 2) de-aggregate and directly measure the most informative flows for per-flow measurements. iSTAMP then processes these aggregate and per-flow measurements to effectively estimate network flows using a variety of optimization techniques. With the advent of Software-Defined-Networking (SDN), such real-time rule (re)configuration can be achieved via OpenFlow or other similar SDN APIs. We first show how to design the optimal aggregation matrix for minimizing the flow-size estimation error. Moreover, we propose a method for designing an efficient-compressive flow aggregation matrix under hard resource constraints of limited TCAM sizes. In addition, we propose an intelligent Multi-Armed Bandit based algorithm to adaptively sample the most 'rewarding' flows, whose accurate measurements have the highest impact on the overall flow measurement and estimation performance. We evaluate the performance of iSTAMP using real traffic traces from a variety of network environments and by considering two applications: traffic matrix estimation and heavy hitter detection. Also, we have implemented a prototype of iSTAMP and demonstrated its feasibility and effectiveness in Mininet environment. © 2014 IEEE.

Byzantine-Resilient Secure Software-Defined Networks with Multiple Controllers in Cloud

Abstract: Software-defined network (SDN) is the next generation of networking architecture that is dynamic, manageable, cost-effective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today’s applications. In SDN, network management is facilitated through software rather than low-level device configurations. However, the centralized control plane introduced by SDN imposes a great challenge for the network security. In this paper, we present a secure SDN structure, in which each device is managed by multiple controllers, not just a single as in a traditional manner, with the dynamic and isolated instance provided by the cloud. It can resist Byzantine attacks on controllers and the communication links between controllers and SDN switches. Furthermore, we study a controller minimization problem with security requirement and propose a cost-efficient controller assignment algorithm with a constant approximation ratio. From the experiment result, the secure SDN structure has little impact on the network latency, provide better security than general distributed controller, and the proposed algorithm performs higher efficiency than random assignment.

Offering network performance guarantees in multi-tenant datacenters

Abstract: Methods of offering network performance guarantees in multi-tenant datacenters are described. In an embodiment, a request for resources received at a datacenter from a tenant comprises a number of virtual machines and a performance requirement, such as a bandwidth requirement, specified by the tenant. A network manager within the datacenter maps the request onto the datacenter topology and allocates virtual machines within the datacenter based on the available slots for virtual machines within the topology and such that the performance requirement is satisfied. Following allocation, stored residual capacity values for elements within the topology are updated according to the new allocation and this updated stored data is used in mapping subsequent requests onto the datacenter. The allocated virtual machines form part of a virtual network within the datacenter which is allocated in response to the request and two virtual network abstractions are described: virtual clusters and virtual oversubscribed clusters.

SDN traceroute: tracing SDN forwarding without changing network behavior

Abstract: Software-defined networking provides flexibility in designing networks by allowing distributed network state to be managed by logically centralized control programs. However, this flexibility brings added complexity, which requires new debugging tools that can provide insights into network behavior. We propose a tool, SDN traceroute, that can query the current path taken by any packet through an SDN-enabled network. The path is traced by using the actual forwarding mechanisms at each SDN-enabled device without changing the forwarding rules being measured. This enables administrators to discover the forwarding behavior for arbitrary Ethernet packets, as well as debug problems in both switch and controller logic. Our prototype implementation requires only a few high-priority rules per device, runs on commodity hardware using only the required features of the OpenFlow 1.0 specification, and can generate traces in about one millisecond per hop.

Distributed and collaborative traffic monitoring in software defined networks

Abstract: Network traffic monitoring supports fundamental network management tasks However, monitoring tasks introduce non-trivial overhead to network devices such as switches We propose a Distributed and Collaborative Monitoring system, named DCM, with the following properties First, DCM allows switches to collaboratively achieve flow monitoring tasks and balance measurement load Second, DCM is able to perform per-flow monitoring, by which different groups of flows are monitored using different actions Third, DCM is a memory-efficient solution for switch data plane and guarantees system scalability DCM uses novel two-stage Bloom filters to represent monitoring rules using small memory space It utilizes the centralized SDN control to install, update, and reconstruct the two-stage Bloom filters in the switch data plane We study how DCM performs two representative monitoring tasks, namely flow size counting and packet sampling, and evaluate its performance Experiments using real data center and ISP traffic data on real network topologies show that DCM achieves highest measurement accuracy among existing solutions given the same memory budget of switches

Spook in Your Network: Attacking an SDN with a Compromised OpenFlow Switch

Abstract: Software defined networking (SDN) and OpenFlow as one of its key technologies have received a lot of attention from the networking community. While SDN enables complex network applications and easier network management, the paradigm change comes along with new security threats. In this paper, we analyze attacks against a software-defined network in a scenario where the attacker has been able to compromise one or more OpenFlow-capable switches. We find out that such attacker can in suitable environments perform a wide range of attacks, including man-in-the-middle attacks against control-plane traffic, by using only the standard OpenFlow functionality of the switch. Furthermore, we show that in certain scenarios it is nearly impossible to detect that some switch has been compromised. We conclude that while the existing security mechanisms, such as TLS, give protection against many of the presented attacks, the threats should not be overlooked when moving to SDN and OpenFlow.

Handling intrusion and DDoS attacks in Software Defined Networks using machine learning techniques

Abstract: Software-Defined Networking (SDN) is an emerging concept that intends to replace traditional networks by breaking vertical integration. It does so by separating the control logic of network from the underlying switches and routers, suggesting logical centralization of network control, and allowing to program the network. Although SDN promises more flexible network management, there are numerous security threats accompanied with its deployment. This paper aims at studying SDN accompanied with OpenFlow protocol from the perspective of intrusion and Distributed Denial of Service (DDoS) attacks and suggest machine learning based techniques for mitigation of such attacks.

Small-Cell Self-Organizing Wireless Networks

Abstract: Increasing the spatial reuse of frequency spectrum by deploying more access points has historically been the most effective means to improve the capacity of any cellular communication network. Today's mobile networks face a proliferation of data services and overall demand for data traffic that has been strongly increasing over several years. As a result, increasing network capacity through the deployment of small lower power nodes is of key importance for mobile network operators. Although such small access points are conceptually equivalent to conventional cellular base stations in many ways, the expected large number of small cells as well as their much more dynamic unplanned deployment raise a variety of challenges in the area of network management. This paper discusses such challenges and reviews state-of-the-art modeling as well as selected network management techniques.

A network-state management service

Abstract: We present Statesman, a network-state management service that allows multiple network management applications to operate independently, while maintaining network-wide safety and performance invariants. Network state captures various aspects of the network such as which links are alive and how switches are forwarding traffic. Statesman uses three views of the network state. In observed state, it maintains an up-to-date view of the actual network state. Applications read this state and propose state changes based on their individual goals. Using a model of dependencies among state variables, Statesman merges these proposed states into a target state that is guaranteed to maintain the safety and performance invariants. It then updates the network to the target state. Statesman has been deployed in ten Microsoft Azure datacenters for several months, and three distinct applications have been built on it. We use the experience from this deployment to demonstrate how Statesman enables each application to meet its goals, while maintaining network-wide invariants.

Hybrid network management

Abstract: Method and systems for controlling a hybrid network having software-defined network (SDN) switches and legacy switches include initializing a hybrid network topology by retrieving information on a physical and virtual infrastructure of the hybrid network; generating a path between two nodes on the hybrid network based on the physical and virtual infrastructure of the hybrid network; generating a virtual local area network by issuing remote procedure call instructions to legacy switches in accordance with a network configuration request; and generating an SDN network slice by issuing SDN commands to SDN switches in accordance with the network configuration request.

Complexity in Governance Network Theory

Abstract: In this article, we discuss how complexity is viewed in governance network theory. The article provides a systematic elaboration of the notion of complexity, distinguishing three types: substantive, strategic , and institutional complexity. We argue that dealing with these types of complexity in networks is essentially a matter of mutual adaption and cooperation. An important explanation for the occurrence of deadlocks, breakthroughs and outcomes is the presence and the quality of attempts to manage complex interaction processes in networks.

System and method for observing and controlling a programmable network using closed loop control

Abstract: A system and method for observing and controlling a programmable network via higher layer attributes is disclosed. According to one embodiment, the system includes one or more collectors, a network manager, and a programmable network element. The one or more collectors are configured to receive network traffic data from a plurality of network elements and extract metadata from the network traffic data. The network manager is configured to receive metadata from the one or more collectors. The network manager identifies a network control objective for the network, identifies a programmable parameter of the programmable network element to achieve the network control objective, and programs the programmable network element. The network manager further determines whether the network control objective is met after programming the programmable network element and applies a control loop based on the network control objective to program the programmable network element.

Governance, management and performance in public networks: How to be successful in shared-governance networks

Abstract: This paper compares four cases and explores the effects on network performance of network governance, coordination mechanisms, and the abilities of the network manager. The focus is on shared-governance networks, which are in general considered to have difficulties achieving high-level performances. The cross-case comparison suggests a relationship between coordination mechanisms and the way shared-governance networks are managed: in order to be successful, they must be able to rely on formalized mechanisms and make a pool of “network administrators” responsible for their governance.

Design and optimisation of a FAQ-learning-based HTTP adaptive streaming client

Abstract: In recent years, HTTP (Hypertext Transfer Protocol) adaptive streaming (HAS) has become the de facto standard for adaptive video streaming services. A HAS video consists of multiple segments, encoded at multiple quality levels. State-of-the-art HAS clients employ deterministic heuristics to dynamically adapt the requested quality level based on the perceived network conditions. Current HAS client heuristics are, however, hardwired to fit specific network configurations, making them less flexible to fit a vast range of settings. In this article, a (frequency adjusted) Q-learning HAS client is proposed. In contrast to existing heuristics, the proposed HAS client dynamically learns the optimal behaviour corresponding to the current network environment in order to optimise the quality of experience. Furthermore, the client has been optimised both in terms of global performance and convergence speed. Thorough evaluations show that the proposed client can outperform deterministic algorithms by 11–18% in terms o...

A Survey on Encrypted Traffic Classification

Abstract: With the widespread use of encryption techniques in network applications, encrypted network traffic has recently become a great challenge for network management. Studies on encrypted traffic classification not only help to improve the network service quality, but also assist in enhancing network security. In this paper, we first introduce the basic information of encrypted traffic classification, emphasizing the influences of encryption on current classification methodology. Then, we summarize the challenges and recent advances in encrypted traffic classification research. Finally, the paper is ended with some conclusions.

Systems and methods for managing tasks

Abstract: Systems and methods for creating and sharing tasks over one or more networks are disclosed. In one embodiment, a system comprises a message retrieval module configured to retrieve electronic messages and parse them into a plurality of tasks. The system can also include a task creation module configured to process the message to identify task information and one or more task recipients. The task creation module can also be configured to create a task based on the identified task information. A task notification module can be configured to notify the one or more task recipients about the created task. The system may also include a multi-layer network management module configured to organize the tasks and task participants into multiple networks and clouds and into a federation of clouds. The system can also include a task analytics module programmed to analyze the tasks performed by users of the system.