Alaitz Mendiola

FlowNAC: Flow-based Network Access Control

This paper presents FlowNAC, a Flow-based Network Access Control solution that allows to grant users the rights to access the network depending on the target service requested. Each service, defined univocally as a set of flows, can be independently requested and multiple services can be authorized simultaneously. Building this proposal over SDN principles has several benefits: SDN adds the appropriate granularity (fine-or coarse-grained) depending on the target scenario and flexibility to dynamically identify the services at data plane as a set of flows to enforce the adequate policy. FlowNAC uses a modified version of IEEE 802.1X (novel EAPoL-in-EAPoL encapsulation) to authenticate the users (without the need of a captive portal) and service level access control based on proactive deployment of flows (instead of reactive). Explicit service request avoids misidentifying the target service, as it could happen by analyzing the traffic (e.g. private services). The proposal is evaluated in a challenging scenario (concurrent authentication and authorization processes) with promising results.

Implementing Layer 2 Network Virtualization Using OpenFlow: Challenges and Solutions

Novel approaches for network virtualization at Layer 2 which are not based on VLAN have became a real possibility since the appearance of Software Defined Networking and OpenFlow in particular. We have deployed our own network virtualization facility based on Layer 2 prefixes using OpenFlow: the EHU OpenFlow Enabled Facility (EHU-OEF). We have implemented a solution that allows research and production traffic to share the same infrastructure without interfering with each other. It requires minimum configuration in the case of researchers and none in the case of non-technical users. In our deployment we found several challenges with Layer 2 protocols that use broadcast/multicast addresses due to the use of OpenFlow. In order to solve those challenges, we developed several custom modules for the OpenFlow controller and made some changes in the Flow Visor. Finally, the design of the EHU-OEF facility as well as some configuration details are described.

A survey on the contributions of Software-Defined Networking to Traffic Engineering

Since the appearance of OpenFlow back in 2008, software-defined networking (SDN) has gained momentum. Although there are some discrepancies between the standards developing organizations working with SDN about what SDN is and how it is defined, they all outline traffic engineering (TE) as a key application. One of the most common objectives of TE is the congestion minimization, where techniques such as traffic splitting among multiple paths or advanced reservation systems are used. In such a scenario, this manuscript surveys the role of a comprehensive list of SDN protocols in TE solutions, in order to assess how these protocols can benefit TE. The SDN protocols have been categorized using the SDN architecture proposed by the open networking foundation, which differentiates among data-controller plane interfaces, application-controller plane interfaces, and management interfaces, in order to state how the interface type in which they operate influences TE. In addition, the impact of the SDN protocols on TE has been evaluated by comparing them with the path computation element (PCE)-based architecture. The PCE-based architecture has been selected to measure the impact of SDN on TE because it is the most novel TE architecture until the date, and because it already defines a set of metrics to measure the performance of TE solutions. We conclude that using the three types of interfaces simultaneously will result in more powerful and enhanced TE solutions, since they benefit TE in complementary ways.

The EHU-OEF: An OpenFlow-based Layer-2 experimental facility

Abstract The current limitations of the Internet have prompted the appearance of the Future Internet initiative, which promotes the deployment of newly proposed infrastructures. In this context, experimental facilities emerge to provide realistic scenarios that allow the testing and advance the research of these novel approaches. From a technical standpoint, building a facility’s infrastructure is challenging and demanding because several requirements, such as its flexibility, support for multiple experiments, isolation and virtualisation, must be fulfilled. To investigate potential Future Internet initiatives, we designed, developed, and deployed our own experimental facility that addresses the aforementioned requirements: the EHU OpenFlow Enabled Facility (EHU-OEF). In this article, we present the EHU-OEF, which is a campus-wide facility based on OpenFlow that simultaneously supports both research and production traffic over the same infrastructure. Because this facility is based, in particular, on the OpenFlow technology and, more generally, follows the Software Defined Networking paradigm, the EHU-OEF provides researchers with the ability to programme the network. Thanks to this property, flexibility and isolation of both the control and the data planes among the experiments are addressed. This article also presents a novel method of network virtualisation at the link layer, the L2PNV approach, which ensures scalability by aggregating MAC addresses. This approach has been implemented with a modification of the FlowVisor controller originally developed at Stanford, which is a special-purpose OpenFlow controller that introduces a software slicing layer between OpenFlow switches and multiple OpenFlow controllers. This article also presents other contributions that have been developed through a successful deployment methodology in the facility, including an authentication and authorisation module, a MAC configuration module and a Prefix-Based Forwarding Decision module. In conclusion, the EHU-OEF facility possesses an excellent infrastructure designed to test and to validate novel proposals under real conditions, and this facility acts as a stepping stone for Future Internet testbeds.

Integrating Complex Legacy Systems under OpenFlow Control: The DOCSIS Use Case

The possibility to deploy telecommunication services based on the availability of a fully flow-aware network is an appealing possibility. Concepts like Network Service Chaining and Network Function Virtualization expect the information to be manageable at the flow level. But, for this concept to be available for the development of user-centric applications, the access network should also be made flow-aware. In this paper we present the integration of a legacy DOCSIS based access network under an OpenFlow Control Framework by using the Hardware Abstraction Layer designed in the FP7 ALIEN project. The result is a dynamic wide area OpenFlow switch that spawns from the aggregation switch to the home equipment and hides all the complexity (including the provisioning) of the access technology to an unmodified and standard OpenFlow controller. As a result, the access network can react not only to any kind of user traffic but also to the connection of CPE to the network. The approach used is technology independent, and the results have been successfully demonstrated over a Cisco based DOCSIS access network.

Towards an SDN-based bandwidth on demand service for the European research community

Geant, the pan-European Research and Education Network (REN) is working on a Software-Defined Networking (SDN) solution to improve the provisioning of the Bandwidth on Demand (BoD) service. The SDN-based solution will integrate with the current provisioning tool, AutoBAHN, to add support for OpenFlow domains. One of the main benefits of this approach is that the solution will still be compliant with the Network Services Interface (NSI-CS) protocol to support multi-domain service provisioning. The core element of the solution is the Dynamic Path Computation (DynPaC) framework, an advanced reservation system for OpenFlow domains that allows the establishment of resilient Layer 2 services with bandwidth and VLAN constraints. This paper presents all the phases in the deployment of this SDN solution: the functional requirements definition, the evaluation of OpenDaylight and ONOS to select the appropriate network operating system, and the evolution of the DynPaC framework from its first implementation to the future integration in ONOS.

Multi-domain bandwidth on demand service provisioning using SDN

Aware of the benefits that Software-Defined Networking (SDN) can entail for traffic engineered services, the pan-European National Research and Education Network (NREN) Géant has started to work on an SDN-based solution to provide Bandwidth on Demand (BoD) services. The proposed solution relies on a framework called DynPaC, which is able to provide resilient L2 services taking into account bandwidth and VLAN utilization constraints. DynPaC has been extended to be compliant with the Network Services Interface-Connection Service (NSICS) protocol, which makes the SDN-based BoD solution multidomain capable. The demo described in this paper demonstrates the establishment of multi-domain BoD services across OpenFlow and non-OpenFlow domains, how the traffic is limited at the networking devices to enforce the QoS constraints, also selecting the optimal intra-domain paths during the process, and how the traffic is re-routed to alternative pre-computed paths in case of link-failure, always without disrupting the service provisioning.

Deploying SDN in GÉANT production network

Since the demand for more bandwidth, agile infrastructures and services grows, it becomes challenging for Service Providers like GEANT to manage the proprietary underlay, while keeping costs low. In such a scenario, Software Defined Networking (SDN), open hardware and open source software prove to be key components to address those challenges. After one year of development, SDX-L2 and BoD, the SDN-ization of the GEANT Open and Bandwidth on Demand (BoD) services, have been brought to the pilot status and GEANT is now testing the outcomes on its operational network. In this demonstration, we show BoD and SDX-L2 “going live” at the GEANT production infrastructure. The pilots run on the same underlay infrastructure thanks to the virtualization capabilities of the network devices. Provisioning of the services is covered during the demo. In the final steps of the demonstration, we show how the infrastructure is able to automatically manage network events and how it remains operational in the case of fault events.

An architecture for dynamic QoS management at Layer 2 for DOCSIS access networks using OpenFlow

Over the last few years, Software-Defined Networking (SDN) has emerged as one of the most disruptive and profitable novelties in networking. SDN was originally conceived to improve performance and reduce costs in Ethernet-based networks and it has been widely adopted in data center and campus networks. Similarly, thanks to the introduction of SDN concepts, access networks will benefit from the higher control, the lower maintenance costs and the better remote access to devices of SDN. However, its application to access networks is not straightforward and imposes great challenges to vendors and network operators, since current SDN technologies are not prepared to handle the provisioning of user equipment, specific port management or QoS requirements of common access networks. Most recent trends dealing with the SDN-ization of access networks advocate for the use of simple devices at the customer premises and the virtualization of the networking functionalities, requiring the provisioning of Layer 2 services in many cases. In such a scenario, this paper presents an architecture that brings SDN to common access networks using legacy equipment. In a nutshell, the architecture is based on the abstraction of the access network as a wide area OpenFlow switch where QoS-enabled pipes are dynamically created leveraging the high granularity of the OpenFlow protocol for packet classification. Furthermore, the OpenFlow protocol itself has been extended in order to support the advanced QoS requirements that are common to most access networks. The architecture has been implemented for DOCSIS access networks and it has been validated and evaluated using a real testbed deployed at our laboratory. The obtained results show that the architecture remains compliant with the ITU-T QoS recommendations and that the cost of introducing the elements required by the architecture in terms of service performance is negligible.

GÉANT SDX — SDN based Open eXchange Point

Different reasons make SDN an attractive choice for Service Providers like GÉANT: new functionality, improvement of flexibility and automation of operational processes. In this demonstration, we present the SDNization of GÉANT Open service, which is currently delivered through a set of Open eXchange Points (OXP) based on traditional (non-SDN) solutions. Using this service, GÉANT customers and approved commercial partners can interconnect via Layer 2 circuits. The SDN based service has been built on top of the Open Networking Operating System (ONOS) and runs on white box switches for the data plane. The live demo is based on remote access to the real prototype which runs in the GÉANT Cambridge Lab. During the demo we show how an operator can deploy the services and how the SDN network can be monitored and managed. Finally, we demonstrate how the infrastructure is able to automatically manage network events and adapt to network changes.