Results 1 - 10
of
39
FRESCO: Modular Composable Security Services for Software-Defined Networks
"... OpenFlow is an open standard that has gained tremendous interest in the last few years within the network community. It is an embodiment of the software-defined networking paradigm, in which higher-level flow routing decisions are derived from a control layer that, unlike classic network switch impl ..."
Abstract
-
Cited by 31 (6 self)
- Add to MetaCart
(Show Context)
OpenFlow is an open standard that has gained tremendous interest in the last few years within the network community. It is an embodiment of the software-defined networking paradigm, in which higher-level flow routing decisions are derived from a control layer that, unlike classic network switch implementations, is separated from the data handling layer. The central attraction to this paradigm is that by decoupling the control logic from the closed and proprietary implementations of traditional network switch infrastructure, researchers can more easily design and distribute innovative flow handling and network control algorithms. Indeed, we also believe that OpenFlow can, in time, prove to be one of the more impactful technologies to drive a variety of innovations in network security. Open-Flow could offer a dramatic simplification to the way we design and integrate complex network security applications into large networks. However, to date there remains a stark paucity of compelling OpenFlow security applications. In this paper, we introduce FRESCO, an OpenFlow security application development framework designed to facilitate the rapid design, and modular composition of OF-enabled detection and mitigation modules. FRESCO, which is itself an OpenFlow application, offers a Click-inspired [19] programming framework that enables security researchers to implement, share, and compose together, many different security detection and mitigation modules. We demonstrate the utility of FRESCO through the implementation of several well-known security defenses as OpenFlow security services, and use them to examine various performance and efficiency aspects of our proposed framework. 1
Software-Defined Networking: A Comprehensive Survey
, 2014
"... The Internet has led to the creation of a digital society, where (almost) everything is connected and is accessible from anywhere. However, despite their widespread adoption, traditional IP networks are complex and very hard to manage. It is both difficult to configure the network according to pre- ..."
Abstract
-
Cited by 20 (3 self)
- Add to MetaCart
The Internet has led to the creation of a digital society, where (almost) everything is connected and is accessible from anywhere. However, despite their widespread adoption, traditional IP networks are complex and very hard to manage. It is both difficult to configure the network according to pre-defined policies, and to reconfigure it to respond to faults, load and changes. To make matters even more difficult, current networks are also vertically integrated: the control and data planes are bundled together. Software-Defined Networking (SDN) is an emerging paradigm that promises to change this state of affairs, by breaking vertical integration, separating the network’s control logic from the underlying routers and switches, promoting (logical) centralization of network control, and introducing the ability to program the network. The separation of concerns introduced between the definition of network policies, their
A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks
, 2013
"... The idea of programmable networks has recently re-gained considerable momentum due to the emergence of the Software-Defined Networking (SDN) paradigm. SDN, often referred to as a “radical new idea in networking”, promises to dramatically simplify network management and enable in-novation through net ..."
Abstract
-
Cited by 16 (2 self)
- Add to MetaCart
The idea of programmable networks has recently re-gained considerable momentum due to the emergence of the Software-Defined Networking (SDN) paradigm. SDN, often referred to as a “radical new idea in networking”, promises to dramatically simplify network management and enable in-novation through network programmability. This paper surveys the state-of-the-art in programmable networks with an emphasis on SDN. We provide a historic perspective of programmable networks from early ideas to recent developments. Then we present the SDN architecture and the OpenFlow standard in particular, discuss current alternatives for implementation and testing of SDN-based protocols and services, examine current and future SDN applications, and explore promising research directions based on the SDN paradigm.
Scalable rule management for data centers
- in NSDI
, 2013
"... Cloud operators increasingly need more and more fine-grained rules to better control individual network flows for various traffic management policies. In this paper, we explore automated rule management in the context of a system called vCRIB (a virtual Cloud Rule Informa-tion Base), which provides ..."
Abstract
-
Cited by 14 (3 self)
- Add to MetaCart
(Show Context)
Cloud operators increasingly need more and more fine-grained rules to better control individual network flows for various traffic management policies. In this paper, we explore automated rule management in the context of a system called vCRIB (a virtual Cloud Rule Informa-tion Base), which provides the abstraction of a central-ized rule repository. The challenge in our approach is the design of algorithms that automatically off-load rule processing to overcome resource constraints on hypervi-sors and/or switches, while minimizing redirection traf-fic overhead and responding to system dynamics. vCRIB contains novel algorithms for finding feasible rule place-ments and adapting traffic overhead induced by rule placement in the face of traffic changes and VM migra-tion. We demonstrate that vCRIB can find feasible rule placements with less than 10 % traffic overhead even in cases where the traffic-optimal rule placement may be in-feasible with respect to hypervisor CPU or memory con-straints. 1
SDX: A Software Defined Internet Exchange
"... ‡ These authors contributed equally to this work Deploying software-defined networking (SDN) at Internet Exchange Points (IXPs) offers new hope for solving longstanding problems in interdomain routing. SDN allows direct expression of more flexible policies, and IXPs are central rendezvous points tha ..."
Abstract
-
Cited by 13 (4 self)
- Add to MetaCart
(Show Context)
‡ These authors contributed equally to this work Deploying software-defined networking (SDN) at Internet Exchange Points (IXPs) offers new hope for solving longstanding problems in interdomain routing. SDN allows direct expression of more flexible policies, and IXPs are central rendezvous points that are in the midst of a rebirth, making them a natural place to start. We present the design of an SDN exchange point (SDX) that enables much more expressive policies than conventional hop-by-hop, destinationbased forwarding. ISPs can apply many diverse actions on packets based on multiple header fields, and distant networks can exercise “remote control ” over packet handling. This flexibility enables applications such as inbound traffic engineering, redirection of traffic to middleboxes, widearea server load balancing, and blocking of unwanted traffic. Supporting these applications requires effective ways to combine the policies of multiple ISPs. Our SDX controller provides each ISP the abstraction of its own virtual switch and sequentially composes the policies of different ISPs into a single set of rules in the physical switches. Preliminary experiments on our operational SDX demonstrate the potential for changing interdomain routing from the inside out. 1.
Network Innovation using OpenFlow: A Survey
- IEEE COMMUNICATIONS SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION
, 2013
"... OpenFlow is currently the most commonly deployed ..."
Concurrent NetCore: From Policies to Pipelines
"... In a Software-Defined Network (SDN), a central, computationally powerful controller manages a set of distributed, computationally simple switches. The controller computes a policy describing how each switch should route packets and populates packet-processing tables on each switch with rules to enac ..."
Abstract
-
Cited by 5 (3 self)
- Add to MetaCart
(Show Context)
In a Software-Defined Network (SDN), a central, computationally powerful controller manages a set of distributed, computationally simple switches. The controller computes a policy describing how each switch should route packets and populates packet-processing tables on each switch with rules to enact the routing policy. As network conditions change, the controller continues to add and remove rules from switches to adjust the policy as needed. Recently, the SDN landscape has begun to change as several proposals for new, reconfigurable switching architectures, such as RMT [5] and FlexPipe [14] have emerged. These platforms pro-vide switch programmers with many, flexible tables for storing packet-processing rules, and they offer programmers control over the packet fields that each table can analyze and act on. These reconfigurable switch architectures support a richer SDN model
Named Functions and Cached Computations
"... Abstract—Current ICN research favors a key-value-store view of the network, where location agnostic names typically resolve to documents, data blocks or sensor values. We believe that names should not only refer to data but also to functions and computation tasks. In Named Function Networking (NFN) ..."
Abstract
-
Cited by 2 (2 self)
- Add to MetaCart
(Show Context)
Abstract—Current ICN research favors a key-value-store view of the network, where location agnostic names typically resolve to documents, data blocks or sensor values. We believe that names should not only refer to data but also to functions and computation tasks. In Named Function Networking (NFN) the network’s role becomes to resolve names to computations, par example by reducing λ-expressions. In doing so, the network starts acting like a computing machine, capable of not only caching content but also computation results. We present basic concepts of NFN and report on our imple-mentation that embeds the name resolution logic of CCNx in a generic resolver of λ-expressions. We demonstrate its resolution power beyond mere content-pull, to also leverage code-drag and computation-push as well as generalizing CCNx protocol functions. Index Terms—Computer networks, information centric net-working, named data networking, network architecture. I.
Intentional Network Monitoring: Finding the Needle without Capturing the Haystack
"... Monitoring network traffic serves many purposes, from se-curity to accounting, yet current mechanisms for collecting network traffic are typically based on low-level features of network traffic (e.g., IP addresses, port numbers), rather than characteristics that more closely map to intent (e.g., peo ..."
Abstract
-
Cited by 2 (0 self)
- Add to MetaCart
(Show Context)
Monitoring network traffic serves many purposes, from se-curity to accounting, yet current mechanisms for collecting network traffic are typically based on low-level features of network traffic (e.g., IP addresses, port numbers), rather than characteristics that more closely map to intent (e.g., people, applications, or devices). In this paper, we present the case for intentional network monitoring—the practice of capturing the minimal set of traffic that satisfies the operator’s monitoring intent or goal—and a preliminary design and implementation for NetAssay, a system that enables intentional monitoring. A significant challenge in developing NetAssay is developing a runtime that can maintain a mapping between stable abstrac-tions that an operator or programmer might use to express intent (e.g., a username) and the dynamic, heterogeneous data that establishes these associations (e.g., information from a login server or DNS record). We present examples that show how the NetAssay runtime can perform late binding between these mappings and network flow space and discuss the re-search and technical challenges associated with establishing more general late-binding mechanisms.
Programming Abstractions for Software-Defined Wireless Networks
"... the last years, significant interest from the academic and the industrial communities alike. The decoupled control and data planes found in an SDN allows for logically centralized intelligence in the control plane and generalized network hardware in the data plane. Although the current SDN ecosystem ..."
Abstract
-
Cited by 1 (1 self)
- Add to MetaCart
the last years, significant interest from the academic and the industrial communities alike. The decoupled control and data planes found in an SDN allows for logically centralized intelligence in the control plane and generalized network hardware in the data plane. Although the current SDN ecosystem provides a rich support for wired packet–switched networks, the same cannot be said for wireless networks where specific radio data-plane abstractions, controllers, and programming primitives are still yet to be established. In this work, we present a set of programming abstractions modeling the fundamental aspects of a wireless net-work, namely state management, resource provisioning, network monitoring, and network reconfiguration. The proposed abstrac-tions hide away the implementation details of the underlying wireless technology providing programmers with expressive tools to control the state of the network. We also present a Software-
